In the ever-evolving landscape of cybersecurity, hackers are continually refining their tactics to evade detection by endpoint detection and response (EDR) systems and antivirus software. One prevalent strategy involves disabling endpoint protection mechanisms, with the notorious Bring Your Own Driver (BYOVD) attacks being a common method. However, a new trend is emerging: cybercriminals are increasingly utilizing Linux malware to infiltrate Windows systems.
Recent investigations by information security provider Bitdefender, in collaboration with the Georgia Computer Emergency Response Center (CERT-GE), have shed light on a sophisticated attack campaign orchestrated by the Russian hacker group Curly COMrades. This group has been exploiting the Hyper-V virtualization platform on Windows 10 systems to create covert access channels, allowing for long-term infiltration.
Lightweight Virtual Machines Enable Stealthy Attacks
The attackers have chosen Alpine Linux for their virtual machines, which is notably resource-efficient. These virtual machines require only 120 MB of disk space and a mere 256 MB of RAM to function, making it exceedingly challenging for victims to detect any irregularities. Bitdefender’s researchers advocate for EDR solutions to incorporate host-based network detection mechanisms to identify command and control (C2) traffic that may be escaping from these virtual machines. Proper hardening of native system components is also essential to counteract such abuses.
Throughout their campaign, the hackers employed a variety of tools to maintain persistent access via reverse proxy servers. Notable among these tools were Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and various SSH-based connection methods.
Attack Timeline and Techniques
Bitdefender’s observations revealed that the initial activities of the hackers began in early July 2024. During this period, they executed remote commands to activate Hyper-V on compromised Windows computers using Deployment Image Servicing and Management Tools (DISM), all while disabling management interfaces to cover their tracks.
Shortly thereafter, Curly COMrades attempted to deploy virtual machines labeled “WSL” to mislead users into believing they were legitimate installations of the Windows Subsystem for Linux (WSL). These unauthorized virtual machines utilized default network adapters and took advantage of Hyper-V’s internal NAT service, making malicious traffic appear as though it originated from the host system.
Custom Malware: CurlyShell and CurlCat
The unauthorized virtual machines were equipped with a streamlined attack toolkit rather than extensive penetration testing frameworks. The attackers introduced two custom malicious programs—CurlyShell and CurlCat—both developed using the libcurl library. CurlyShell operates as a reverse shell, establishing communication with the C2 infrastructure via HTTPS connections, while CurlCat manages traffic tunnels that facilitate remote access and command execution on compromised computers.
Growing Trend: Linux Malware Targeting Windows Systems
This approach aligns with a growing trend of employing Linux malware to target Windows environments, effectively bypassing EDR detection mechanisms. Similar tactics were recently documented by Trend Micro in Qilin ransomware attacks, where threat actors executed Linux-based ransomware through the Splashtop remote management tool to encrypt files on Windows systems.
