You won't believe this — Russian hackers found a clever way to hide their malware using Microsoft's Hyper-V. Yes, the same Hyper-V used to run virtual machines on Windows! They used Hyper-V to create a small Linux virtual machine (VM) to conceal their malware. Sounds clever, right? Let's get into the details:
• First, they gained remote access to a Windows computer.
• Then, they enabled the Hyper-V feature even if it was not in use.
• Next, they created a small Linux VM using Alpine Linux — an extremely lightweight option, at a mere size of about 120 MB and using 256 MB of RAM.
• They installed two tools inside the Linux VM: CurlyShell, which provides remote control of that computer, and CurlCat, which sends data in a covert manner.
• To make things inconspicuous, they named the VM "WSL" (for Windows Subsystem for Linux), which helps to prevent suspicion.
• Finally, all internet traffic coming from the VM is routed through the host computer's internet connection, which makes everything appear as it should.
• Most security tools only check the Windows OS and do not monitor inside the VM.
• A small Linux VM is easy to overlook.
• "Oh, it is just WSL!" is a brilliant name; most admins will just think it is another built-in system tool.
• Because the traffic is originating from the host machine, it is hard for the institute to detect anything wrong.
• Hyper-V turns on unexpectedly.
• New/unknown VMs with too small of a footprint or odd naming.
• Odd PowerShell activity or new accounts.
• Weird and unusual traffic between machines that shouldn't be talking much online.
What Did the Hackers Do?
So, here's what these hackers did step by step:• First, they gained remote access to a Windows computer.
• Then, they enabled the Hyper-V feature even if it was not in use.
• Next, they created a small Linux VM using Alpine Linux — an extremely lightweight option, at a mere size of about 120 MB and using 256 MB of RAM.
• They installed two tools inside the Linux VM: CurlyShell, which provides remote control of that computer, and CurlCat, which sends data in a covert manner.
• To make things inconspicuous, they named the VM "WSL" (for Windows Subsystem for Linux), which helps to prevent suspicion.
• Finally, all internet traffic coming from the VM is routed through the host computer's internet connection, which makes everything appear as it should.
Why Is This So Clever?
I have to say, this is one very clever trick — although not necessarily a good one.• Most security tools only check the Windows OS and do not monitor inside the VM.
• A small Linux VM is easy to overlook.
• "Oh, it is just WSL!" is a brilliant name; most admins will just think it is another built-in system tool.
• Because the traffic is originating from the host machine, it is hard for the institute to detect anything wrong.
What To Look Out For
If you manage Windows workstations or servers, be on the lookout for these warning signs:• Hyper-V turns on unexpectedly.
• New/unknown VMs with too small of a footprint or odd naming.
• Odd PowerShell activity or new accounts.
• Weird and unusual traffic between machines that shouldn't be talking much online.