Hackers have increasingly utilized Linux malware to bypass Windows security, causing significant challenges for endpoint detection and response (EDR) systems.
Exploit Details and Tools
Bitdefender and Georgia CERT uncovered a Russian hacker group, Curly COMrades, exploiting Hyper-V on Windows 10. They used lightweight Alpine Linux VMs to evade detection, employing tools like Resocks, Ligolo-ng, and SSH-based methods for persistence and proxying. The attack began in July 2024 with DISM commands and disabled management interfaces to conceal remote VM operations.
Impact on Security Practices
This campaign emphasizes the need for enhanced EDR with host-based network monitoring to identify C2 traffic from VMs. Security measures must evolve to detect such Linux-based threats on Windows platforms, as these tactics are becoming more prevalent.
Advanced Techniques Used
CurlyShell and CurlCat, two custom programs, were deployed: CurlyShell acts as a reverse shell, and CurlCat manages traffic tunnels, profoundly impacting remote access capabilities. The threat actors also leveraged default network adapters and Hyper-V's internal NAT, masking malicious traffic as legitimate host traffic to bypass security systems.
