A sophisticated new threat actor group dubbed “Curly COMrades” has emerged as a significant cybersecurity concern, conducting targeted espionage campaigns against critical organizations in countries experiencing substantial geopolitical shifts.
The group has been actively pursuing long-term network access and credential theft operations since mid-2024, with a particular focus on judicial and government bodies in Georgia, as well as energy distribution companies in Moldova.
The threat actor’s operations represent a methodical approach to cyber espionage, characterized by their heavy reliance on proxy tools and strategic use of compromised legitimate websites as traffic relays.
This tactic significantly complicates detection efforts by blending malicious communications with normal network activity, allowing them to bypass security defenses that typically trust known domains while obscuring their true infrastructure.
Bitdefender analysts identified the group’s primary objective as maintaining persistent access to target networks while systematically harvesting valid credentials.
The attackers repeatedly attempted to extract the NTDS database from domain controllers, which serves as the primary repository for user password hashes and authentication data in Windows networks.
Additionally, they focused on dumping LSASS memory from specific systems to recover active user credentials, including potentially plain-text passwords from machines where users remained logged in.
The naming convention “Curly COMrades” reflects both the group’s technical methodologies and a deliberate attempt to de-glamorize cybercrime.
Resocks acts as a relay point into a compromised network. In this case, Network A represents an attacker, and Network B represents a victim (Source – Bitdefender)
The designation stems from their extensive use of curl.exe for command-and-control communications and data exfiltration, combined with their sophisticated exploitation of Component Object Model (COM) objects for persistence mechanisms.
The most technically sophisticated aspect of Curly COMrades’ arsenal involves their deployment of MucorAgent, a previously unknown three-stage malware that employs an innovative persistence mechanism through CLSID hijacking.
This approach targets the Native Image Generator (NGEN), a default Windows .NET Framework component that pre-compiles assemblies for improved performance.
The malware establishes persistence by hijacking the COM handler with CLSID {de434264-8fe9-4c0b-a83b-89ebeebff78e}, which is associated with the “.NET Framework NGEN v4.0.30319 Critical” scheduled task.
While this task remains disabled by default, the Windows operating system periodically enables and executes it during unpredictable intervals, such as system idle times or new application deployments.
reg add HKEY_USERS<SID>SOFTWAREClassesCLSID{de434264-8fe9-4c0b-a83b-89ebeebff78e}InprocServer32 /t REG_SZ /d “C:WindowsSystem32mscoree.dll” /F
reg add HKEY_USERS<SID>SOFTWAREClassesCLSID{de434264-8fe9-4c0b-a83b-89ebeebff78e}InprocServer32 /v Assembly /t REG_SZ /d “TaskLauncher, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null” /F
This technique provides several advantages for the attackers, including stealth execution under the highly privileged SYSTEM account and covert access restoration during legitimate system optimization processes.
The unpredictability of NGEN task execution times suggests that attackers likely employed parallel, more reliable triggers to ensure consistent access to compromised systems.
This innovative approach to COM hijacking in conjunction with NGEN represents an unprecedented persistence mechanism that demonstrates the group’s sophisticated understanding of Windows internals and their commitment to maintaining long-term network access.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
