Russian Hackers Abuse Hyper-V to Hide Malware in Linux VMs
An Anonymous Coward writes:
The Russian hacker group Curly COMrades is abusing Microsoft Hyper-V in Windows to bypass endpoint detection and response solutions by creating a hidden Alpine Linux-based virtual machine to run malware.
Inside the virtual environment, the threat actor hosted its custom tools, the CurlyShell reverse shell and the CurlCat reverse proxy, which enabled operational stealth and communication.
Curly COMrades is a cyber-espionage threat group believed to be active since mid-2024. Its activities are closely aligned with Russian geopolitical interests.
[...] The researchers found that in early July, after gaining remote access to two machines, Curly COMrades executed commands to enable Hyper-V and disable its management interface.
Microsoft includes the Hyper-V native hypervisor technology that provides hardware virtualization capabilities in Windows (Pro and Enterprise) and Windows Server operating systems, allowing users to run virtual machines (VMs).
"The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," Bitdefender explains in a report shared with BleepingComputer.
By keeping the malware and its execution inside a virtual machine (VM), the hackers were able to bypass traditional host-based EDR detections, which lacked network inspection capabilities that could detect the threat actor's command and control (C2) traffic from the VM.
Read more of this story at SoylentNews.