Russian Hackers Hide Malware in Linux VMs Using Hyper-V
▼ Summary
– The Russian hacker group Curly COMrades uses Microsoft Hyper-V to deploy a hidden Alpine Linux virtual machine that runs their custom malware tools CurlyShell and CurlCat.
– This hidden VM environment allows the hackers to bypass traditional endpoint detection by making malicious traffic appear to originate from the legitimate host machine’s IP address.
– Curly COMrades is a cyber-espionage group active since mid-2024 that targets organizations aligned with Russian geopolitical interests, including government bodies in Georgia and energy firms in Moldova.
– The group used PowerShell scripts for persistence and network pivoting, including injecting Kerberos tickets and creating local accounts across domain machines via Group Policy.
– Bitdefender recommends organizations monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts deployed through Group Policy to detect similar attacks.
A sophisticated Russian cyber-espionage group known as Curly COMrades is leveraging Microsoft’s Hyper-V virtualization platform to conceal malware within hidden Linux virtual machines, effectively bypassing conventional endpoint security measures. This innovative attack method allows the group to operate with significant stealth while targeting entities aligned with Russian geopolitical interests, including government bodies in Georgia and energy companies in Moldova.
The threat actors first gain remote access to victim systems, then enable the Hyper-V role while disabling its management interface. They deploy a minimal Alpine Linux-based virtual machine, which requires only 120MB of disk space and 256MB of memory. Within this concealed environment, they host their custom tools: the CurlyShell reverse shell and CurlCat reverse proxy, both ELF binaries built on libcurl.
CurlyShell operates in headless mode, executing commands from the hidden VM while maintaining persistence through cron jobs and communicating with command-and-control servers over HTTPS. CurlCat serves as its companion tool, creating covert SOCKS proxies that tunnel SSH traffic through HTTPS requests, enabling network pivoting while blending with regular network traffic.
The attackers strategically named their virtual machine “WSL” to mimic the legitimate Windows Subsystem for Linux feature, hoping the virtualization activity would go unnoticed by system administrators. By configuring the Alpine Linux VM to use Hyper-V’s Default Switch network adapter, all malicious communications appear to originate from the host machine’s legitimate IP address, effectively bypassing host-based detection solutions that lack network inspection capabilities.
Beyond the virtualization technique, investigators discovered additional persistence mechanisms. The group employed PowerShell scripts for maintaining access and moving laterally across networks. One script injects Kerberos tickets into LSASS to enable remote authentication and command execution, while another deployed through Group Policy creates local accounts across domain-joined machines.
The operational sophistication demonstrates careful attention to stealth and operational security, with encrypted payloads and minimal forensic footprints left on compromised systems. Security researchers emphasize that organizations should monitor for unusual Hyper-V activation, LSASS access attempts, and Group Policy-deployed PowerShell scripts that trigger local account modifications.
This attack methodology highlights the evolving challenge of detecting threats that operate across virtualization boundaries, particularly when security tools lack comprehensive network visibility. While virtualization-based evasion isn’t new, the fragmented coverage of many security solutions makes this approach particularly effective against networks without multi-layered protection strategies.
(Source: Bleeping Computer)
