Pro-Russian hackers hide in Windows with Linux VMs

Pro-Russian hackers hide in Windows with Linux VMs

Briefly

"The group, which according to the researchers operates in line with Russian geopolitical interests, uses hidden Linux virtual machines to bypass detection by traditional security measures. The investigation, conducted in collaboration with the Georgian CERT, revealed that the attackers exploit Hyper-V, the built-in virtualization technology of Windows 10. After gaining access to a target, they activate Hyper-V but disable the management tools to prevent monitoring by system administrators."

"They then use carefully scripted CMD and PowerShell commands to download a small RAR archive that masquerades as a video file. That archive contains the configuration files and virtual disk of a pre-configured Alpine Linux environment, which is automatically imported and started. It is noteworthy that the attackers name the virtual machine WSL, which refers to the Windows Subsystem for Linux. This naming is intended to avoid suspicion, as WSL is a trusted tool for developers."

"Within this miniature Linux installation, which uses only 120 MB of disk space and 256 MB of memory, two core components run: CurlyShell, a persistent reverse shell, and CurlCat, a tool for hiding network traffic. Because the traffic runs through the Windows host's IP address, it appears to security systems to come from a legitimate source. According to DarkReading, Bitdefender emphasizes that this is the main strength of the method: by performing activities in a separate virtual layer, they remain invisible to most detection systems."