Experts warn criminals are using backdoor malware to target governments

Bitdefender finds new piece of malware in the wild
It attributed it to a brand-new cyber-espionage group
The researchers believe the group is Russian

Cybersecurity researchers at Bitdefender recently spotted a new threat actor using a never-before-seen piece of backdoor malware to target critical infrastructure organizations in eastern Europe.

Bitdefender named the new group Curly COMrades, since it heavily relies on the curl.exe tool to pull data and communicate with the C2 server, and since it hijacks Component Object Model (COM) objects during its attacks.

In its attacks, Curly COMrades deploy a backdoor named MucorAgent, a custom three-stage malware component, “engineered as a .NET stealthy tool capable of executing an AES-encrypted PowerShell script and uploading the resulting output to a designated server.”

When in doubt – blame the Russians

In other words, it’s a piece of Windows malware that runs hidden commands, keeps them encrypted to avoid detection, and sends the results back to the attacker.

So far, identified victims include government and judicial organizations in Georgia, and energy companies in Moldova.

Given the targets, the researchers believe the attackers are of Russian origin, or at least Russia-aligned.

However, they did stress that there are no strong overlaps with known Russian APT groups, but Curly COMrades’ operations “align with the geopolitical goals of the Russian Federation.”

Bitdefender also could not determine the initial access vector – how crooks managed to infiltrate the target endpoints to deploy MucorAgent to begin with.

They claim to have seen installations of multiple proxy agents, including Resocks which, they suspect, may have been used to that end.

Ever since Russia’s attention turned towards Ukraine in 2014 with the annexation of Crimea, countries on its eastern border have lost the spotlight. Georgia, however, is in a similar position to Ukraine, with two regions declaring independence with the help of the Russian military – South Ossetia, and Abkhazia. Therefore, it would make sense that Russia’s cyberspies would like to keep tabs on neighboring countries and their diplomatic efforts.