Previously called undocumented threat actors, the Curly comrades have been observed to target Georgia and Moldovan entities as part of a cyberspy campaign designed to promote long-term access to targeted networks.
“They tried repeatedly to extract the NTDS database from the domain controller. This is the primary repository of user password hashing and authentication data on Windows networks,” BitDefender said in a report shared with Hacker News. “In addition, they tried to dump LSASS memory from a particular system and recover active user credentials, potentially plaintext passwords, from the machine the user is logged on.”
The activities tracked by Romanian cybersecurity companies since mid-2024 have picked out Georgia judicial and government agencies, as well as Moldova energy distribution companies.
Comrade Carly is rated as operating with goals consistent with Russia’s geopolitical strategy. Gets the name from command and control (C2) and the heavy dependency on Curl utility for data transfer, and hijacking of component object model (COM) objects.
The ultimate goal of an attack is to enable long-term access to perform reconnaissance and theft of qualifications, dig deeper into the network, and use that information to collect data using custom tools and extend it to attacker-controlled infrastructure.
“The overall behavior illustrates a systematic approach that combines standard attack techniques with implementations tailored to blend in with legitimate system activity,” the company noted. “These operations were characterized by repeated trial and error, the use of redundant methods, and progressive setup procedures, all aimed at maintaining a resilient, low-noise scaffold across multiple systems.”
A notable aspect of the attack is that it uses legitimate tools such as Resocks, SSH, and Stunnel to create multiple conduits on the internal network and execute commands remotely using the stolen credentials. Another proxy tool that is deployed outside of Resocks is Socks5. The exact initial access vector employed by threat actors is currently unknown.
Persistent access to infected endpoints is achieved through a bespoke backdoor called Mucoragent. This hijacks the class identifier (CLSID) globally that identifies the COM class object.
“NGEN, the default Windows .NET framework component that precompiles assembly, provides a persistence mechanism through invalid scheduled tasks,” BitDefender said. “This task may seem inactive, but the operating system can enable and run it from time to time at unpredictable intervals (such as system idle times and new applications deployment), making it a great mechanism for secretly restoring access.”
Abusing a CLSID linked to Ngen highlights the enemy’s technical capabilities and acknowledges the ability to execute malicious commands under highly privileged system accounts. Given the overall unpredictability associated with NGEN, it is suspected that there is a more reliable mechanism for performing a particular task.
Mucoragent, a modular .NET implant, is launched via a three-stage process, and can run encrypted PowerShell scripts and upload output to a specified server. BitDefender said it would not retrieve any other PowerShell payloads.
“The Mukoraja design suggests that it is likely intended to serve as a backdoor that allows payloads to be run regularly,” the company explained. “Each encrypted payload was removed after being loaded into memory, and no additional mechanism was identified for delivering new payloads periodically.”
Also weaponized by the Comrades of Curly is a website for use as a relay during data removal to fly under the radar, legal but not exclusively for use as a relay during C2 communications, by blending malicious traffic and normal network activity. Some of the other tools observed in the attack are listed below –
Curlcat is used to facilitate bidirectional data transfer between standard input and output streams (STDIN and STDOUT) and C2 servers. Routing the site Rurat that compromised traffic over HTTPS. Discovery PowerShell script that removes stolen data (credentials, domain information, internal application data) using Curl to perform a ping
“The analysed campaigns revealed highly sustainable and adaptable threat actors who employ a wide range of known, customized technologies to establish and maintain long-term access within the target environment,” Bitdefender said.
“Attackers rely heavily on publicly available tools, open source projects, and Lolbins, indicating that they prefer stealth, flexibility and minimal detection rather than exploiting new vulnerabilities.”
Source link
