Podcasts
Research Saturday
Ep 395
Research Saturday 9.27.25
Ep 395 | 9.27.25

Inside Curly COMrades.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello everyone and welcome to The CyberWire's "Research Saturday". I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

 

Martin Zugec: Is it new activity? Is it existing activity? Is it a cluster of victims? Or is it isolated case? So in the case of Curly COMrades, we started tracking this group in mid-2024.

 

Dave Bittner: That's Martin Zugec, Technical Solutions Director at Bitdefender. The research we're discussing today is titled "Curly COMrades: A new threat actor targeting geopolitical hotbeds". [ Music ]

 

Martin Zugec: It's one of those things that people probably don't know. Research like this very often takes months. So, it's normal when you see it released, let's say, half a year later. That's perfectly fine, because we are documenting all the tools they are using, all the servers, the complete infrastructure. We try to get as complete picture as possible before we publish this data. So, it's always decision, Do we want to release this as soon as possible so all the potential victims are informed? Or do we wait a little bit longer because then we can discover and publish more information and provide more complete picture?

 

DAVE BITTNER: Yeah. Well, how about the name itself? I mean, Curly COMrades, that's a clever naming here.

 

Martin Zugec: I love the name, personally [laughter]. And there are two reasons, because we always have, like, a couple of different names that we can choose from. With Curly COMrades, I think it is smart name for two reasons. The first reason is it is actually really reflecting the technical details about this threat actor group. They like to use curl.exe a lot. And at the same time, one of the most interesting techniques that we noticed for the persistent access was hijacking the com objects for the engine. So that's where the Curly COMrades, the C-O-M is capitalized, is technically coming from. The second part of the story is I feel we as a security industry are doing kind of disservice by glamorizing the cybercrime in many cases, picking up the names that sounds, like, really fancy and cool. So, what we also wanted to do is we just wanted to point out that these guys are not cool. They are cybercriminals. So, we really wanted to find also the name that would reflect what we think about them, if it makes sense.

 

DAVE BITTNER: Yeah, it does. Well, tell us what particular regions and sectors that they seem to be targeting, and what their motivations seem to be.

 

Martin Zugec: So the motivation, as we've seen to do all the tactics, techniques, everything they were going after, is long-term data exfiltration. So for us, this is one of the APT groups. We've seen them actually attacking multiple victims. So, the research that we published, it is not based on a single victim. As I said, we spent months monitoring and documenting what this group is doing. But what we observed their focus is, is they are, they are targeting countries where they are geopolitically halfway between Russia and Europe at this moment. So, we've seen them targeting judicial and government bodies in Georgia, not the one in the US, the one in the borders between Russia and Europe. We've seen them targeting energy distribution company in Moldova. But one of the highlights for us was also that they used large network of legitimate but compromised websites as traffic relays. We documented some of them, but we believe there must be a lot more. So, that also tell us this APT that, what we've seen, even though we documented quite a lot of it, is probably just a small part of a much larger network of compromised web infrastructure they use. So what I'm trying to say, the total number of victims is definitely significantly higher than what we've seen.

 

DAVE BITTNER: Well, can you walk us through what a typical engagement looks like? I mean, when Curly COMrades sets their sights on someone, how does it usually go down?

 

Martin Zugec: Yes. So I would say, and again, this is something that is very common, we don't have any insights into initial access method they used. And that is very common. We, again, it's forensic investigation. It's not like in the movie where you know exactly, like, every single step what happen and there are no gaps. In many cases, there are big gaps. We try to figure them out by looking at other victims, collecting more data. So, that is part of the reason why research like this really take a lot of effort and time. So, initial access in many cases we don't know and we will never know, yeah? We track the activity actually to, I want to say 2023. So here is important thing. We started monitoring them from mid-2024. But during forensic investigation, you are looking at everything that happened before that date. So, looking at all these artifacts that we were discovering, making sure that we are aware of the time stomping technique where they are trying to confuse us. The earliest date that we found was November 2023 when they were active. So again, we don't know initial access when it happened, but we can track that they've been active for long time. Now, what trigger does here is that we detected an attempt to deploy a resource client, which is not unusual. It's opensource project. So Bitdefender team just started investigating it, and quickly found out this is much bigger than just some isolated action. We found more compromised machines, credentials, started putting everything together. We've seen this threat actor have been really focused on proxying their access and making sure they have multiple ways how to get back to the victim if they would be discovered and kicked out. So, we found the resource tunnel that I mentioned before, but we also found the custom SOCKS5 server on one of the internet-facing hosts. That was one of the alternative entry points. And later on, we discovered there were attempts to build multiple tunnels between the victim network and infrastructure of the threat actors using tools like SSH or Stunnel. So that was something that we've seen as kind of the persistent effort to regain access was a very common tactic of APT groups, including this one.

 

DAVE BITTNER: Can we dig into their persistence here? The research talks about, I believe it's called MucorAgent to help them stay hidden. What's going on there?

 

Martin Zugec: Yeah, so the MucorAgent was definitely the highlight for me personally. What we found, we found it on multiple systems. So, this was one of the tools that was, like, part of the core toolkit they've been using. It's written in.NET and it executes PowerShell, something that we are seeing happening with APT groups quite a lot. What was the most interesting for us was the way how this MucorAgent is activated. It's really, we tried to find anyone referencing anything similar, but we couldn't find any research. So as far as I know, we are the first one documented this. So, what they are doing is the following. The first step in the attack, there are multiple components of this MucorAgent. The first step is they are using the.NET assembly that is going to hijack the com handler. Now, if you've never been dealing with a com object, congratulations. I spent many years fighting with the DLL hell back in my early days.

 

DAVE BITTNER: [Laughter] Sure.

 

Martin Zugec: So this is the stuff of nightmares. This is, this is the really complicated way how Windows sometimes execute the code instead of executing the binary. They just called the class ID that might call another class ID execute something. To be honest, I don't be, like, there are hundreds or maybe thousands of class IDs that are part of the com on a typical Windows system.

 

DAVE BITTNER: Don't hold back, Martin. Don't hold back.

 

Martin Zugec: Yeah. This was, again, like, I had night-, back in the day, in 2000s, I had nightmares about this. So --

 

DAVE BITTNER: I see. [ Music ] We'll be right back. [ Music ]

 

Martin Zugec: What they are doing is that they choose one of these many, many com objects with CLS ID, the class ID that I'm not going to say, it's 16 characters and so on. And they just change the target of that com object. Instead of pointing to the normally-executed dot framework that would be triggered, it was actually running the MucorAgent. So that is step number one. Essentially, targets are redirected. If something will try to run part of the.NET framework instead of running the target, it's going to run malicious code. That's one. Now, the bigger question is, How is this com handler actually triggered? What is going to do it? And here comes the really smart part, where they are using schedule task for this that is disabled by default. So, if you are looking at everything that is starting for example at a startup of machine, you are not going to look at this one because, again, it's disabled, it's not executed. The schedule task is responsible for something called engine. In.NET framework,.NET framework comes, it's not compiled code. So, what happens on every single machine when you execute.NET code for the first time, it's turning into something called IL, which is language that's optimized on execution on that specific machine. Now, you can kind of also precompile all this.NET code, so it just executes faster. Again, coming back from my background, I used to deal with this a lot when we were optimizing execution on, like, large farms of servers. So, really what you are doing is that you are just precompiling the.NET code. Now, when this is happening is at very specific times. You install a new.NET that can trigger this precompilation of the code. You install a new application, this can trigger precompilation of the code. Sometimes it is optimization, but it happens at really very random intervals. What the operating system is doing in that case is that it will just enable the schedule task. And the trigger for the schedule task is not on startup, logon, or specific time, as is usual. The trigger here is on idle. Essentially, you are telling the machine, Hey, I need you to precompile all the.NET code that you have here, and just do it anytime it's a good time for you. If you are not busy doing something, that's when you can start. This.NET precompilation is going to precompile all the code, and when it's done, it will go back and disable the schedule task again. And then at the random time interval, it's not specified in any way. Again, operating system can decide, I want to trigger this native image generator. That's the engine. So, it will enable it again. And it's completely unpredictable for you, first of all, when it's going to be enabled, but also when it's going to be executed. And after it's done, it is disabled again. So, it looks to you as if it was never executed before. And that is how the MucorAgent is working. So, again, not only it is hijacking one of the com classes that are completely hidden in, like, thousands of different registry keys behind the 16-digit-long string. That is the first part of it, but it's also the second. How is this triggered? How is this loaded? That's also smart, because it's relying on the schedule task that is disabled, but just appears to be disabled, but it actually executes.

 

DAVE BITTNER: So, is it fair to say that this operation is fairly sophisticated?

 

Martin Zugec: Yeah, absolutely. So, as I was mentioning, this was the first part. There was a lot that we documented. This was what caught our attention, but there was a lot more seeing. And again, the infrastructure that was used, downloading some malicious code used as the command, as the C2 server for example for communication. Most of it were not malicious sites. Almost all of it were legitimate sites that were just compromised and redesigned to be part of this network. So, again, that is one of the best signs that we have telling us, like, this is much more advanced operation. They stayed stealthy under the radar, for very, very long time. So, yeah, it's much bigger than what we are seeing today.

 

DAVE BITTNER: What about resilience? I mean, if, when defenses spring up, how do they respond to that?

 

Martin Zugec: That is very common. And so they use multiple methods how to get back inside if they are kicked out. That is very common for these APTs. The last activity that we investigated, they really, they did something that we are seeing doing all the cyber criminals, whether they are financially motivated or state affiliated, they are switching less and less to use malware, and they are switching more to use normal common binaries. So, for example, in the case of Curly COMrades, we've seen them using different tools in the past, but the last incident, and I don't see the date here or time, but this was the last one we investigated. They used SSH, and they use the TStunnel that is part of the Stunnel suite for encryption of the TCP traffic. So, it's really obfuscating the SSH communication and evading the network-based mechanisms in this case. But again, as with many of these groups, they used multiple tools, multiple endpoints, multiple gateways inside the system. So again, like all these operations are usually very sophisticated. This is not an exception.

 

DAVE BITTNER: Yeah. So, given everything that you've collected here about this group, what are your recommendations? How should organizations best defend themselves?

 

Martin Zugec: So if I look at everything we documented for the TTPs, and I will also give, like, more general recommendation. The first one is most of these investigations we are doing, we are seeing two big problems. The first one is that the victim doesn't have EDR or XDR. We are dealing a lot more today with all the modern threat actors. We are dealing a lot more with suspicious behavior, not clearly malicious. So, you really need to tool, to have the tools that will go through this noise and highlight for you these are the things you should investigate. And it's really good to think about it. It's no longer binary, just, This is bad or this is good. It's all about percentages like this. We are 60% sure this is suspicious. So having really good EDR and XDR that doesn't provide, doesn't generate, like, too much noise, it's still actionable. One of the best things, how to detect, how to minimize the time when the threat actors are on your network. So that would be one. And again, in many investigations, we are just seeing these tools are not deployed. The second one that we see very often are operational gaps. And what I mean by this is some companies will buy EDR and XDR solutions, and then at the end, all they are going to do is they will just think that that is the tool that will solve the problem. But if you think about it, EDR and XDR is not really that useful if you don't have your own security operations. So having your own SOCK that is staffed properly, trained properly, it's the combination of process, people, and tools, then if you don't have these people looking at those alerts and triaging, then you will end up in a situation that we've seen many, many times where after an investigation like this, we can conclude there are, there are red flags all over the place and no one was just responding to them. I'm not saying this particular investigation, but more broadly what we are seeing in our research. So again, make sure you have the tools that will highlight to you suspicious activity on the network, on endpoints, on servers, in the cloud. And also you have the people that can respond to it, whether it's the SOCK or it's the managed detection and response services that you can use. The last recommendation I would do is make sure that you are keeping up with the latest research. I mentioned it during our conversation. We are seeing a lot more of the living off the land attacks. We are seeing all kinds of cyber criminals transitioning from using a specialized tool to just using whatever is available on those systems. APTs are one of the last groups where at the end, they usually rely on the custom malware that's really hard to detect. But again, even then, they are using these tools. They are using legitimate remote monitoring and management, RMM, tools. So, we see all these cyber criminals adopting the playbook where they just use what is available on the system and they don't really bring anything new that can be easily detected on the network. So, be aware of law bans, be aware of RMM abuse by these threat actors. [ Music ]

 

DAVE BITTNER: Our thanks to Martin Zugec from Bitdefender for joining us. The research is titled, "Curly COMrades: A new threat actor targeting geopolitical hotbeds". We'll have a link in the show notes. And that's "Research Saturday", brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@N2K.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.