"This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat,"
"By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections,"
Curly COMrades abused Microsoft's Hyper-V hypervisor on compromised Windows machines to create hidden Alpine Linux virtual machines that evade endpoint detection and response tools. The hidden VM had a small footprint (only 120MB disk space and 256MB memory) and hosted a custom reverse shell, CurlyShell, and a reverse proxy, CurlCat. Attackers remotely enabled the microsoft-hyper-v feature on at least two hosts while disabling the management interface, then downloaded the lightweight VM. The VM used Hyper-V's Default Switch so malicious outbound traffic traversed the host network stack, helping bypass host-based EDR detections. The group supports Russian geopolitical interests but has not been explicitly linked to the Russian government.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]