Full Report
A new cyber-espionage threat group has been using a new backdoor malware that provides persistent access through a seemingly inactive scheduled task. [...]
Analysis Summary
# Threat Actor: Curly COMrades
## Attribution & Identity
The actor is identified as "Curly COMrades" (or "Curly COMrades cyberspies"). Attribution is implied to be linked to state-sponsored espionage efforts, based on the targeting of government organizations and the sophisticated nature of the activity.
## Activity Summary
Curly COMrades are involved in an espionage campaign focusing on maintaining persistent access to target networks. Recent activities include deploying custom malware, specifically the `.NET` backdoor known as **MucorAgent**, to hijack legitimate COM handlers and bypass security features like AMSI. A key objective observed post-compromise was the repeated attempt to extract the **NTDS database from domain controllers** and dump **LSASS memory** for credential harvesting.
## Tactics, Techniques & Procedures
- **Custom Malware Usage:** Deployment of the custom **MucorAgent** `.NET` backdoor.
- **Defense Evasion:** Component within MucorAgent used for **bypassing the Antimalware Scan Interface (AMSI)** in Windows.
- **Persistence/Access:** Hijacking a legitimate **COM handler** and installing legitimate remote access/management tools like **Remote Utilities (RuRat)** and an **RMM tool**.
- **Credential Access:** Attempting to extract the **NTDS database** and dumping **LSASS memory** to recover active user credentials.
- **Living off the Land (LOLBins/Scripts):** Execution of common system utilities (`netstat`, `tasklist`, `systeminfo`, `wmic`, `ipconfig`) and using PowerShell **Active Directory enumeration cmdlets** and **batch scripts** for automation.
- **Data Staging:** Downloading encrypted data blobs (likely scripts) into specific locations, referenced by filenames (`index.png` and `icon.png`).
## Targeting
- Sectors: Government organizations.
- Geography: Not explicitly stated, but targeting suggests organizations operating in geopolitical hotbeds (as mentioned by Bitdefender context).
- Victims: Government organizations; specific victim names are not detailed in the provided excerpt.
## Tools & Infrastructure
- **Malware families used:** MucorAgent (Custom .NET backdoor).
- **Legitimate Software Misuse (TARE):** Remote Utilities (RuRat), Remote Monitoring and Management (RMM) tool.
- **Infrastructure (C2, domains, IPs):** Implied C2 communication involved downloading encrypted data blobs from compromised websites; no specific C2 domains or IPs are defanged in the provided text.
## Implications
Curly COMrades are highly focused on espionage, prioritizing stealth and long-term access. Their use of custom backdoors combined with legitimate IT tools (RMM, RuRat) allows them to blend activities effectively. The intense focus on domain controller data (NTDS) suggests a primary interest in broad network control and deep intelligence gathering (e.g., user accounts, trust relationships). Despite using common TTPs, their persistence mechanisms require modern EDR/XDR solutions for reliable detection.
## Mitigations
- Implement modern **EDR/XDR solutions** capable of detecting anomalous behavior even when LOLBins are used.
- Strictly monitor and restrict the use of legitimate remote access tools (RMM, RuRat) to authorized endpoints and usage patterns.
- Enforce robust **credential security practices**, monitoring for LSASS memory dumping attempts and unusual access to domain controllers/NTDS database files.
- Monitor for signs of **COM handler hijacking** and unusual DLL loading mechanisms.
- Scrutinize network traffic for beacons downloading payloads from potentially compromised external websites.