Full Report
The Russian hacker group Curly COMrades has been abusing Microsoft's Hyper-V virtualization technology in Windows to bypass endpoint detection and response solutions by creating a hidden Alpine Linux-based virtual machine. [...]
Analysis Summary
# Threat Actor: Curly COMrades
## Attribution & Identity
**Actor Identification:** Russian hacker group, believed to be active since mid-2024.
**Known Aliases and Associated Groups:** Curly COMrades. Activities are closely aligned with Russian geopolitical interests.
## Activity Summary
Curly COMrades has been actively engaging in cyber-espionage. Recent activities documented include operations against government and judicial bodies in **Georgia**, as well as energy firms in **Moldova**. The attackers gain remote access to victim machines, enable Hyper-V, and deploy a hidden virtual machine to host their malware, aiming for operational stealth and evasion of EDR solutions.
## Tactics, Techniques & Procedures
- **Virtualization Abuse for Evasion:** Abusing Microsoft's Hyper-V to create an undetectable, hidden Alpine Linux-based virtual machine (VM) to host malware and C2 infrastructure.
- **Disabling VM Management:** Executing commands to disable the Hyper-V management interface after role enablement.
- **Low-Footprint VM Deployment:** Deploying a minimalistic Alpine Linux VM (120MB disk, 256MB memory).
- **Masquerading:** Naming the VM 'WSL' to emulate the Windows Subsystem for Linux (W-SL) feature for further obfuscation.
- **Network Evasion:** Configuring the VM to use the Hyper-V Default Switch, causing outbound malicious traffic to appear to originate from the legitimate host machine's IP address.
- **Persistence (Host/VM):** Using a **cron job** within the VM for persistence, and utilizing **PowerShell scripts** on the host.
- **Lateral Movement/Authentication:** One PowerShell script was used to inject a **Kerberos ticket into LSASS** for authentication to remote systems.
- **Domain Persistence:** A second PowerShell script deployed via **Group Policy** to create a new local account across domain machines.
- **Encryption and Obfuscation:** Encrypting embedded payloads and abusing native PowerShell capabilities to minimize forensic traces.
**MITRE ATT&CK IDs (Inferred/Mentioned):**
* Techniques related to virtualization abuse and custom tool staging are core to their evasion strategy.
* T1021 (Remote Services - potentially via compromised shell)
* T1548.002 (Abuse Elevation Control Mechanism - implied by credential/ticket injection)
* T1059.001 (Command and Scripting Interpreter: PowerShell)
## Targeting
- **Sectors:** Government, Judicial Bodies, Energy Firms.
- **Geography:** Georgia, Moldova (specific countries mentioned).
- **Victims:** Government organizations and energy sector entities.
## Tools & Infrastructure
- **Malware Families Used:**
* **CurlyShell:** Custom reverse shell executable (ELF binary based on libcurl) running in headless mode, connecting to C2 over HTTPS, used for command execution and persistence via cron job.
* **CurlCat:** Companion tool (ELF binary based on libcurl) invoked by CurlyShell to create a covert **SOCKS proxy**. It wraps SSH traffic inside HTTPS requests for tunneling and network pivoting.
- **Infrastructure & Methodologies:**
* **C2 Communication:** HTTPS for CurlyShell traffic.
* **Tunneling:** HTTPS encapsulation of SSH traffic via CurlCat.
* **Host-Based Scripts:** Two custom PowerShell scripts for persistence and lateral movement (LSASS injection, Group Policy execution).
## Implications
Curly COMrades demonstrates a high degree of operational security (OpSec) and a focus on stealth. Their exploitation of native, legitimate OS features like Hyper-V and PowerShell, combined with advanced evasion techniques via controlled VM environments, allows them to circumvent traditional host-based EDR controls that lack deep visibility into virtualized execution environments and specialized network inspection capabilities. This approach is highly effective against organizations relying on fragmented security tooling.
## Mitigations
- **Monitor Hyper-V Activity:** Implement monitoring for abnormal or unauthorized activation of the Hyper-V role on host systems.
- **Endpoint Visibility:** Deploy EDR/XDR solutions capable of inspecting network traffic originating or proxied from virtualized environments (including Hyper-V guests).
- **LSASS Monitoring:** Monitor for non-standard processes accessing LSASS memory, especially those related to credential dumping or Kerberos ticket manipulation.
- **Group Policy Auditing:** Audit Group Policy Objects (GPOs) for scripts or configurations that trigger local account creation or password resets, particularly if deployed immediately following remote access.
- **Layered Defense:** Ensure security controls provide a holistic, multi-layered protection approach rather than relying on single-point detection technologies.