Bitdefender researchers have unveiled sophisticated techniques employed by the Curly COMrades threat actor, a group believed to be supported by Russian interests. Their focus lies on exploiting Microsoft’s Hyper-V virtualization platform, allowing them to evade security measures and maintain persistent access to targeted environments.
Abuse of Hyper-V
In a collaborative investigation with the Georgian CERT, the researchers revealed how this threat group has ingeniously utilized legitimate virtualization features to conduct covert operations on compromised systems. By activating Hyper-V on targeted hosts, the attackers deployed a lightweight virtual machine (VM) based on Alpine Linux, which occupies a mere 120MB of disk space and utilizes 256MB of memory. Within this isolated environment, they concealed two malware tools: CurlyShell and CurlCat.
“The most notable finding in this campaign is the exploitation of legitimate virtualization technologies, demonstrating how threat actors are innovating to bypass standard EDR solutions as they become commodity tools. The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint, hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat. By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections. EDR needs to be complemented by host-based network inspection to detect C2 traffic escaping the VM, and proactive hardening tools to restrict the initial abuse of native system binaries.”
The operation commenced in early July, marked by two remote commands that activated Microsoft Hyper-V while disabling its management interface on compromised computers. Subsequent commands prepared the environment for deploying the virtual machine, cleverly using deceptive file-naming strategies, such as labeling the VM as “WSL,” to avoid raising suspicion, even though it functioned entirely outside the conventional Windows Subsystem for Linux framework.
Isolated operational environment
The Alpine Linux VM was tailored for each victim, providing a secluded operational base for reverse shell and proxy activities. The primary aim was to minimize detection through a small system footprint while ensuring all necessary toolsets were available. The configuration routed VM traffic through the host’s network, making all outbound communications appear to originate from the legitimate host IP address. Internal configuration files were also designed to facilitate communication with attacker-controlled infrastructure.
This VM served as the host for the custom malware families CurlyShell and CurlCat. Both are C++ binaries built using the libcurl library, yet they serve distinct operational purposes: CurlyShell functions as a persistent reverse shell, while CurlCat manages SSH-based traffic tunneling. Authentication for SSH tunneling is supported by a private key stored within the VM, utilizing a dedicated key under the identity ‘bob.’
The persistence of CurlyShell is maintained through a cron task running as root, executing at regular intervals. HTTPS is employed for all Command and Control (C2) communications, utilizing unique session cookies and customized HTTP headers to tunnel commands and results between the VM and the C2 infrastructure. The malware also incorporates custom Base64 encoding schemes to complicate detection efforts.
Additional tools and script abuse
The attackers’ toolkit extends beyond CurlyShell and CurlCat, encompassing a variety of proxy and tunneling tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, TStunnel, and various SSH methods. This diverse array of tools provides significant flexibility and resilience for maintaining remote access.
Bitdefender and the Georgian CERT also uncovered PowerShell scripts utilized by the attackers. Some scripts injected Kerberos tickets into LSASS for remote authentication and lateral movement, while others focused on creating or maintaining local accounts via Group Policy to ensure ongoing access. For instance, one script would reset a local user’s password or create the account if it did not exist, with later variants targeting accounts such as ‘camera.’
Analysis of these scripts revealed the use of encrypted embedded code, with mechanisms to inject Kerberos tickets and execute lateral post-exploitation commands against other network devices. The repeated password resets via Group Policy indicated tactics aimed at evading remediation efforts by network defenders.
Command and control infrastructure
International collaboration, particularly with the Georgian CERT, enabled a detailed analysis of the attackers’ command and control setup. The investigation uncovered the use of compromised servers acting as proxies to relay traffic between infected hosts and the attackers’ infrastructure. The seized server, configured with iptables and custom application-level proxies, redirected specific traffic from victims to attacker-controlled servers. Notably, TLS certificate validation in related malware was disabled, allowing attackers to utilize arbitrary certificates for decrypting and extracting SSH traffic.
The attackers took measures to limit forensic evidence, such as clearing shell history files, underscoring their emphasis on operational security throughout the campaign.
Detection and mitigation strategies
Bitdefender’s analysis underscores the necessity for host-based network inspection and hardening to detect lateral movement and malicious communications escaping from isolated VMs. The company noted:
“Throughout the activity, the threat actor demonstrated a strong focus on stealth and operational security. Techniques included encrypting embedded payloads, abusing native PowerShell capabilities, and minimizing forensic traces on compromised systems. To counter stealthy lateral movement, organizations must detect abnormal access to the LSASS process and suspicious Kerberos ticket creation or injection attempts, which occur outside the VM and are highly detectable. Use GravityZone EDR/XDR capabilities to detect malicious access to credential processes and mitigate memory-based attacks. For organizations operating with a lean security staff, adopting Managed Detection and Response (MDR) services offers an effective solution.”
The findings highlight a significant shift in threat actor tactics as endpoint detection and response solutions become more prevalent. The use of virtualization for stealth and persistence signals the urgent need for layered, defense-in-depth measures and proactive reduction of attack surfaces within organizations.
