A new Russian-aligned Advanced Persistent Threat (APT) group, identified as 'Curly COMrades,' has been actively targeting government and energy sectors in Eastern Europe, specifically Georgia and Moldova. The group, operational since mid-2024, employs sophisticated techniques for long-term espionage and data exfiltration, including a novel method of hijacking .NET Framework components for persistent access.

Stealthy Infiltration and Persistence

Curly COMrades has demonstrated a highly stealthy and persistent approach to cyber intrusions. The group utilizes a custom backdoor known as MucorAgent. A key element of their persistence strategy involves hijacking Class Identifiers (CLSIDs) associated with the Native Image Generator (Ngen), a component of the .NET Framework. By exploiting this dormant service, they can reactivate malicious code at unpredictable intervals, making detection by conventional security measures extremely challenging.

Key Takeaways

• Targeting: Government bodies, judicial entities in Georgia, and an energy company in Moldova.

• Objective: Long-term espionage, data exfiltration, and credential theft.

• Malware: Custom backdoor named MucorAgent.

• Persistence Method: Hijacking Ngen COM objects for covert reactivation.

• Tools: Leverages legitimate tools like curl, Mimikatz, Resocks, SSH, and Stunnel, alongside "living-off-the-land binaries" (LOLBins).

• Attribution: Assessed to be Russian-aligned.

Espionage and Data Exfiltration Tactics

Once inside a compromised network, Curly COMrades focuses on credential theft and data discovery. They employ tools like Mimikatz to extract login credentials from memory and utilize LOLBins to move laterally within the network. The group also leverages legitimate but compromised servers to obscure their command-and-control (C2) infrastructure, making their activities harder to trace. Their ultimate goal is to gain deep access, collect sensitive data, and exfiltrate it to attacker-controlled servers.

Defensive Recommendations

Security experts recommend robust cybersecurity measures to counter this sophisticated threat. These include:

• Implementing Endpoint Detection and Response (EDR/XDR) solutions to monitor for anomalous activities.

• Limiting the use of administrative and remote management tools.

• Employing Managed Detection and Response (MDR) services for enhanced threat hunting.

• Regularly updating security software and patching systems.

The group's reliance on blending in with legitimate network activity and using readily available tools highlights the need for advanced threat detection capabilities and a proactive security posture. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• New Russian-aligned hacking group targeting Eastern Europe infrastructure, Tech Digest.

• New 'Curly COMrades' APT Using NGEN COM Hijacking in Georgia, Moldova Attacks, The Hacker News.