Share
A new Russian-aligned Advanced Persistent Threat (APT) group, dubbed Curly COMrades by security firm Bitdefender, has been identified targeting government bodies and energy sectors in Eastern Europe.
The group, active since mid-2024, has been linked to attacks on government and judicial bodies in Georgia and an energy company in Moldova, with the primary objective of long-term espionage and data exfiltration.
The report highlights the group’s highly stealthy and persistent tactics. Curly COMrades deploys a custom backdoor called MucorAgent and uses a previously unseen method for maintaining access to compromised systems.
This technique involves hijacking Class Identifiers (CLSIDs) and exploiting a dormant Windows .NET Framework component called NGEN. By co-opting this component, the group is able to reactivate its malicious code at unpredictable times, making it extremely difficult for traditional security solutions to detect and remove.
Once inside a network, the group’s objective is clear: credential theft and data discovery. It uses a range of tools, including Mimikatz, to steal login credentials and leverage “living-off-the-land binaries” (LOLBins) and legitimate-but-compromised servers to move laterally through the network and exfiltrate data while remaining undetected.
The use of legitimate infrastructure helps obscure its command-and-control servers, suggesting that the current known attacks may represent only a fraction of the group’s full operational capabilities.
To prevent such attacks, Bitdefender urges government agencies and businesses to adopt robust cybersecurity measures. The firm recommends the use of EDR/XDR (Endpoint Detection and Response) solutions to monitor for unusual activity, such as the misuse of proxy tools or changes to registry settings.
Limiting the use of administrative and remote management tools and employing MDR (Managed Detection and Response) services are also crucial steps to protect against this sophisticated and persistent new threat actor.
Related Posts
Discover more from Tech Digest
Subscribe to get the latest posts sent to your email.