Hackers Use Windows Virtualization Technology to Evade Security Detection

Cybersecurity researchers have uncovered a sophisticated Russian-aligned threat group using Windows Hyper-V technology to create hidden Linux virtual machines on compromised systems, enabling them to bypass traditional security detection methods.

A recent Bitdefender report reveals that the group, known as Curly COMrades, has been targeting organizations in Georgia and Moldova since late 2023. By isolating malware within virtual machines managed through hypervisor technology, the attackers effectively circumvent endpoint detection and response (EDR) solutions while maintaining persistent access to victim networks.

Hidden Virtual Machine Infrastructure

The Curly COMrades threat actors have implemented an innovative approach to maintaining stealth within compromised systems. According to Bitdefender researchers Victor Vrabie, Adrian Schipor, and Martin Zugec, the group enables the Hyper-V role on targeted Windows 10 systems to deploy minimalistic Alpine Linux-based virtual machines.

"This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," the researchers explained.

The strategic use of virtualization technology creates a significant security challenge. By running malware inside the virtual environment, attackers effectively isolate their operations from security tools running on the host system. This separation makes it extremely difficult for security teams to detect malicious activity using traditional methods.

The attackers demonstrated remarkable technical sophistication in their implementation. The virtual machines were deliberately kept minimal, requiring very few resources to operate – just 120MB of disk space and 256MB of RAM. This lightweight approach helped avoid raising suspicion through unusual system resource consumption that might otherwise trigger alerts.

For organizations defending against such threats, this technique presents a serious challenge as it bypasses many endpoint detection and response capabilities designed to identify threats that focus on monitoring host operating system activity rather than virtualized environments.

Defense Evasion Through Virtualization

One particularly concerning aspect of this attack methodology is how it exploits legitimate Windows functionality. Hyper-V is a native virtualization platform included with many Windows editions, making this technique accessible without requiring additional software that might trigger security alerts. The threat actors effectively create an isolated "island" within the compromised system where traditional security monitoring has limited visibility.

Advanced Toolset for Persistent Access

The Curly COMrades group employs several custom-developed tools to maintain access and control over compromised networks. Their arsenal includes:

• CurlyShell: A previously undocumented ELF binary deployed in the virtual machine that provides a persistent reverse shell, allowing attackers to execute commands remotely.

• CurlCat: A custom reverse proxy tool that shares code with CurlyShell but focuses on tunneling traffic through SSH connections.

• RuRat: Used for persistent remote access to compromised systems.

• Mimikatz: Deployed to harvest credentials from victim machines.

• MucorAgent: A modular .NET implant with versions dating back to November 2023.

Bitdefender researchers noted that "the threat actor demonstrated a clear determination to maintain a reverse proxy capability, repeatedly introducing new tooling into the environment."

The group also leverages multiple proxy and tunneling methods, including Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based techniques. These tools allow attackers to maintain stealthy communication channels between their command infrastructure and compromised systems.

CurlyShell, one of the group's most sophisticated tools, operates as a headless background daemon that connects to command-and-control servers via HTTP. It polls for new commands through GET requests and transmits execution results using POST requests, with all communications encrypted to avoid detection.

Communication Infrastructure

The attackers have implemented a multi-layered communication strategy that makes detection and attribution challenging. By using encrypted channels and multiple proxy layers, they obscure the origins of their commands and the destinations of exfiltrated data. This sophisticated approach demonstrates the high level of operational security maintained by the group throughout their campaigns.

Implications for Network Security

This attack methodology represents a concerning evolution in threat actor techniques. By weaponizing legitimate virtualization technology, attackers have found a way to operate in an environment that's largely invisible to many security solutions.

For security professionals, this case highlights several critical considerations:

1. Traditional endpoint security solutions may need enhancement to detect suspicious virtualization activity, particularly the creation of virtual machines that might be used to bypass security controls.

2. Organizations should implement comprehensive monitoring of virtualization technologies in their environment, with special attention to the activation of features like Hyper-V on systems where they're not typically needed.

3. Network security monitoring becomes even more critical as it can potentially detect unusual communication patterns even when endpoint solutions are bypassed.

The Curly COMrades group's activities, which align with Russian interests according to Bitdefender, demonstrate how nation-state affiliated threat actors continue to innovate in their approaches to maintaining persistent access to targeted organizations.

Security teams should use this information to evaluate their current detection capabilities for virtualization-based attacks and implement additional monitoring for Hyper-V or other virtualization technologies that could be misused in their environments.

By understanding these advanced techniques, organizations can better prepare their defenses against the increasingly sophisticated threat landscape that leverages legitimate technologies for malicious purposes.

Recommended Mitigation Strategies

Organizations looking to protect themselves against virtualization-based attacks should consider implementing a defense-in-depth approach that includes:

• Strict privilege management: Limiting which users can enable virtualization features on endpoints
• Network segmentation: Implementing robust endpoint security measures with network isolation capabilities to contain potential breaches
• Behavioral analytics: Deploying solutions that can detect unusual system behavior, including unexpected virtualization activity
• Regular security audits: Conducting periodic reviews of enabled system features and services to identify unauthorized changes

These measures can significantly reduce the risk posed by virtualization-based attacks, even when traditional antivirus and EDR solutions might be bypassed by the virtualization layer. According to Microsoft's security documentation, monitoring for unexpected Hyper-V activation can be a critical indicator of compromise in enterprise environments.