A complicated new menace actor group dubbed “Curly COMrades” has emerged as a major cybersecurity concern, conducting focused espionage campaigns in opposition to vital organizations in international locations experiencing substantial geopolitical shifts.
The group has been actively pursuing long-term community entry and credential theft operations since mid-2024, with a selected concentrate on judicial and authorities our bodies in Georgia, in addition to vitality distribution corporations in Moldova.
The menace actor’s operations symbolize a methodical method to cyber espionage, characterised by their heavy reliance on proxy instruments and strategic use of compromised authentic web sites as visitors relays.
This tactic considerably complicates detection efforts by mixing malicious communications with regular community exercise, permitting them to bypass safety defenses that sometimes belief recognized domains whereas obscuring their true infrastructure.
Bitdefender analysts recognized the group’s main goal as sustaining persistent entry to focus on networks whereas systematically harvesting legitimate credentials.
The attackers repeatedly tried to extract the NTDS database from area controllers, which serves as the first repository for consumer password hashes and authentication knowledge in Home windows networks.
Moreover, they targeted on dumping LSASS reminiscence from particular programs to get well lively consumer credentials, together with probably plain-text passwords from machines the place customers remained logged in.
The naming conference “Curly COMrades” displays each the group’s technical methodologies and a deliberate try and de-glamorize cybercrime.
Resocks acts as a relay level right into a compromised community. On this case, Community A represents an attacker, and Community B represents a sufferer (Supply – Bitdefender)
The designation stems from their in depth use of curl.exe for command-and-control communications and knowledge exfiltration, mixed with their subtle exploitation of Part Object Mannequin (COM) objects for persistence mechanisms.
Essentially the most technically subtle side of Curly COMrades’ arsenal entails their deployment of MucorAgent, a beforehand unknown three-stage malware that employs an revolutionary persistence mechanism by way of CLSID hijacking.
This method targets the Native Picture Generator (NGEN), a default Home windows .NET Framework element that pre-compiles assemblies for improved efficiency.
The malware establishes persistence by hijacking the COM handler with CLSID {de434264-8fe9-4c0b-a83b-89ebeebff78e}, which is related to the “.NET Framework NGEN v4.0.30319 Vital” scheduled job.
Whereas this job stays disabled by default, the Home windows working system periodically permits and executes it throughout unpredictable intervals, reminiscent of system idle instances or new software deployments.
reg add HKEY_USERSSOFTWAREClassesCLSID{de434264-8fe9-4c0b-a83b-89ebeebff78e}InprocServer32 /t REG_SZ /d “C:WindowsSystem32mscoree.dll” /F
reg add HKEY_USERSSOFTWAREClassesCLSID{de434264-8fe9-4c0b-a83b-89ebeebff78e}InprocServer32 /v Meeting /t REG_SZ /d “TaskLauncher, Model=1.0.0.0, Tradition=impartial, PublicKeyToken=null” /F
This method gives a number of benefits for the attackers, together with stealth execution below the extremely privileged SYSTEM account and covert entry restoration throughout authentic system optimization processes.
The unpredictability of NGEN job execution instances means that attackers probably employed parallel, extra dependable triggers to make sure constant entry to compromised programs.
This revolutionary method to COM hijacking along side NGEN represents an unprecedented persistence mechanism that demonstrates the group’s subtle understanding of Home windows internals and their dedication to sustaining long-term community entry.
Increase your SOC and assist your staff defend your online business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
