Other malware tools: The researchers also found additional malware payloads left by the attackers on systems, including a custom PowerShell script used to inject a Kerberos ticket into LSASS to enable authentication and command execution on remote systems.Another PowerShell script was pushed to multiple systems via domain Group Policy to change the password of an account called user or to create it if it didn’t exist. A variant of this script targeted an account called camera instead.With the help of the Georgian CERT who seized one of the group’s C2 servers, the researchers were also able to analyze how attackers had set up their infrastructure, which proved equally sophisticated. The attackers had disabled certificate revocation in CurlCat, which allowed them to deploy custom certificates on their C2 server and still use encrypted HTTPS traffic. A proxy server listening to incoming traffic on port 443 (HTTPS) then decrypted and relayed that traffic to an SSH server with a custom configuration.”The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation,” the researchers said. “To counter this, organizations must move beyond relying on a single security layer and implement defense-in-depth, multilayered security. It is critical to start designing the entire environment to be hostile to attackers.”Bitdefender published indicators of compromise related to this attack campaign on GitHub.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4085272/russian-apt-abuses-windows-hyper-v-for-persistence-and-malware-execution.html
