A group of pro-Russian hackers known as “Curly COMrades” has been using lightweight Linux virtual machines (VMs) to remain undetected in Windows environments. This tactic allows them to bypass traditional endpoint detection and response tools, making it difficult for security software to detect their activities.
The hackers create a hidden environment on the victim’s device by enabling Hyper-V and downloading an Alpine Linux-based VM. The VM hosts a custom reverse shell called CurlyShell and a reverse proxy called CurlCat, both of which are proprietary malware. These tools enable the hackers to manage traffic tunneling and stay stealthy.
To evade detection, the hackers use a combination of techniques, including PowerShell scripts that inject Kerberos tickets into the Local Security Authority Subsystem Service (LSASS) for remote authentication and command execution. This allows them to maintain long-term access in target networks without being detected.
Experts recommend that organizations implement defense-in-depth, multilayered security measures to counter this threat. This can include using network security layers capable of detecting and intercepting malicious traffic patterns, as well as leveraging managed detection and response (MDR) services for leaner organizations.
Source: https://www.darkreading.com/endpoint-security/pro-russian-hackers-linux-vms-hide-windows