Bitdefender, in partnership with the Georgian CERT, has identified a Russian-linked cyber campaign orchestrated by Curly COMrades that exploits Microsoft Hyper-V to install a covert Alpine Linux VM on compromised Windows machines.
Attack Techniques and Tools
The orchestration involves a lightweight Alpine Linux VM, approximately 120 MB in disk size and requiring 256 MB of RAM, which is used to circumvent endpoint security controls. Curly COMrades deployed custom implants named CurlyShell and CurlCat. CurlyShell offers cron-based root persistence along with HTTPS command and control using a Georgian website. CurlCat serves as an SSH reverse proxy, enabling SSH tunneling over HTTP.
Additional tools discovered include PowerShell scripts designed to inject Kerberos tickets into LSASS, facilitating remote authentication and command execution. Another script, distributed via Group Policy, creates local accounts on domain-joined machines to maintain persistence.
Implications and Recommendations
This VM-isolation technique evades many traditional host-based EDR and XDR systems. Bitdefender advises implementing a defense-in-depth strategy to counter such sophisticated methods. They have made available threat indicators and a comprehensive list of related artifacts on their GitHub page.
- Curly COMrades exploit Microsoft Hyper-V for malware deployment.
- Alpine Linux VM evades endpoint detection systems.
- New tools: CurlyShell and CurlCat, enhance persistence and control.
- Researchers found Kerberos manipulation with PowerShell scripts.
- Bitdefender and Georgian CERT collaborated in the discovery.
