NEWS Curly COMrades – A New Wave of Attacks Leveraging Hyper-V

[ExcalibuR]

Curly COMrades – A New Wave of Attacks Leveraging Hyper-V

Researchers from Bitdefender and CERT-GE have uncovered a unique technique: the Russian APT group Curly COMrades is using the built-in Windows virtualization (Hyper-V) to run a hidden Alpine Linux virtual machine directly within an infected system.

Attack Technique:
Two main tools operate inside the virtual machine:

• CurlyShell: A reverse shell for communication with the C2 server.
• CurlCat: A tunnel for covert SSH and HTTP traffic.

Network traffic is routed through the standard Hyper-V Default Switch adapter, making it appear from the outside as normal Windows host activity.

Key Threat Characteristics:

• EDR systems have limited visibility into processes running inside the VM, effectively pushing the attack "below" the Windows detection level.
• This technique enables long-term covert reconnaissance and persistent access.

Targets:
The attacks primarily target the government sector, energy companies, and organizations in Eastern Europe. Infections have been confirmed in Georgia and Moldova.

Protection Recommendations:

• Verify that the Hyper-V role is not enabled on systems where it is not required.
• Monitor for specific PowerShell commands, such as Import-VM, Start-VM, and Enable-WindowsOptionalFeature.
• Check for the presence of VHDX and VMCX files within user profiles.
• Enhance filtering of network connections, especially those involving the Hyper-V Default Switch.

Conclusion:
According to the Bitdefender and CERT-GE report, the use of built-in hypervisors represents a new stage in the evolution of cyber espionage. The boundary between the Windows host and the attacking virtual machine is becoming increasingly blurred, demanding new security approaches.