Microsoft Hyper-V harnessed for stealthy, persistent malware compromise

Windows machines' Hyper-V hypervisors are being targeted by Russia-linked threat operation Curly COMrades to establish a concealed Alpine Linux-based virtual machine enabling long-term network compromise and malware delivery as part of an attack campaign that commenced in July, The Register reports.

After using remote commands to activate Microsoft's Hyper-V virtualization functionality while mothballing the management interface, Curly COMrades proceeded to download the Linux-based VM with the malware that has been configured to leverage Hyper-V's Default Switch network adaptor, according to an analysis from Bitdefender.

Embedded within the VM were the novel CurlyShell implant that harnesses a cron job for root-level persistence and the previously documented CurlCat payload that facilitates SSH reverse proxy tunnel management. Additional findings revealed Curly COMrades use of PowerShell scripts that enable Kerberos ticket injection into LSASS and local account creation for persistence.

"The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation," said Bitdefender senior security researcher Victor Vrabie.