Martin Zujic (4:08)

Yeah, it does. Well, tell us what particular regions and sectors that they seem to be targeting and what their motivations seem to be.

Dave Bittner (4:17)

So the motivation as we've seen to do all the tactics, techniques, everything they were going after is long term data exploitation. So for us this is one of the APT groups. We've seen them actually attacking multiple victims. So the research that we published, it is not based on a single victim. As I said, we spent months monitoring and documenting what this group is doing. But what we observed, their focus is they are targeting countries where they are geopolitically halfway between Russia and Europe at this moment. So we've seen them targeting judicial and government bodies in Georgia, not the one in the U.S. the one in the borders between Russia and Europe. We've seen them targeting energy distribution company in Moldova. But one of the highlights for us was also that they used large network of legitimate but compromised websites as traffic relays. We documented some of them, but we believe there must be a lot more. So that also tell us this apt that what we've seen, even though we documented quite a lot of it, is probably just a small part of a much larger network of compromised web infrastructure they use. So what I'm trying to say, the total number of victims is definitely significantly higher than what we've seen.

Martin Zujic (5:49)

Well, can you walk us through what a typical engagement looks like? I mean when curly comrades sets their sights on someone, how does it usually go down?

Dave Bittner (5:59)

Yes. So I would say and again this is something that is very common. We don't have any insights into initial access method they used. And that is very common. Again, it's forensic investigation is not like in the movie where you know exactly like every single step would happen and there are no gaps. In many cases there are big gaps. We try to figure them out by looking at other victims, collecting more data. So that is part of the reason why research like this really take a lot of effort and time. So initial success in many cases we don't know and we will never know. We tracked the activity actually to I want to say 2023. So here is important thing, we started monitoring them from mid 2024. But during forensic investigation you are looking at everything that happened before that date. So Looking at all these artifacts that we were discovering, making sure that we are aware of the time stomping technique where they are trying to confuse us. The earliest dates that we found was November 2023 when they were active. So again we don't know initial success when it happened but we can track that they've been active for a long time now. What Trigger does here is that we detected an attempt to deploy a resource client which is not unusual, it's open source project. So BitDefender team just started investigating it and quickly found out this is much bigger than just some isolated action. We found more compromised machines credentials, started putting everything together. We've seen this threat actor have been really focused on proxying their access and making sure they have multiple ways how to get back to the victim if they would be discovered and kicked out. So we found the resource tunnel that I mentioned before. But we also found a custom Socks5 server on one of the Internet facing host that was one of the alternative entry points. And later on we discovered Dagmar attempts to build multiple tunnels between the victim network and infrastructure of the threat actors using tools like SSH or Stunnel. So that that was something that we've seen as kind of the persistent effort to regain access was a very common tactic of APT groups including this one.

Martin Zujic (8:42)

Can we dig into their persistence here? The research talks about, I believe it's called Mucor agent to help them stay hidden what's going on there?

Dave Bittner (8:52)

Yeah, so the Mucor agent was definitely the highlight for me personally. We found it on multiple systems. So this was one of the tools that they've. That was like part of the core toolkit they've been using. It's written in. Net and it executes PowerShell something that we are seeing happening with APT groups quite a lot. What was the most interesting for us was the way how this MUCOG agent is activated. It's really. We try to find anyone referencing anything similar but we couldn't find any research. So as far as I know we are the first one documented this. So what they are doing is the following the first step in the attack. There are multiple components of this MUCO agent. The first step is they are using the NET assembly that is going to hijack the COM handler. Now if you've never been dealing with the COM object, congratulations. I spent many years fighting with the DLL hell back in my early days. So this is the stuff of nightmares. This is the really complicated way how Windows sometimes execute the code instead of executing the binary they just called the class ID that might call another class ID execute something to be I don't like. There are hundreds or maybe thousands of class IDs that are part of the. Com on a typical Windows system.

Martin Zujic (10:30)

Don't hold back, Martin. Don't hold back.

Dave Bittner (10:32)

Yeah, this was again like I had night back in the days in 2000s I had nightmares about this. So I see.

Martin Zujic (10:45)

We'll be right back.

Ethan Cook (10:48)

CISO Perspectives is back with an all new season. This season is all about change. Whether it be emerging technologies like AI, shifting governmental roles or evolving threats, we are sitting down with security experts and getting their insights to help you make sense of these changes.

Dave Bittner (11:04)

We are part of a larger ecosystem and if you look at the largest cyber incidents, they have massive downstream effects.

Ethan Cook (11:11)

I'm Ethan Cook, editor of ciso Perspectives at N2K CyberWire this week host Kim Jones with his first guest Ben Yellen to discuss the current state of regulation.

Advertisement Voice (11:21)

Absolute security by definition is an oxymoron. I can secure you absolutely if you shutter your doors, wipe your computers, wrap them in Lucite and drop them in Madness trash. But then again, you ain't gonna make no money.

Ethan Cook (11:35)

CISO perspectives is an N2K Pro exclusive show, but for this season we're sharing the first two episodes free on the Cyberwire daily. To hear the full season, visit TheCyberWire.com and click on subscribe now to become an N2K Pro member.

Martin Zujic (11:52)

AI adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the Data SEC AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader Cierra. Built for the industry, by the industry, this two day conference is where real world insights and bold solutions take center stage. Datasec AI25 is happening November 12th and 13th in Dallas. There's no cost to attend, just bring your perspective and join the conversation. Register now@datasecai2025.com CyberWire Investigating is hard enough. Your tools shouldn't make it harder. Maltego brings all your intelligence into one platform and gives you curated data along with a full suite of tools to handle any digital investigation. Plus with on demand courses and live training, your team won't just install the platform, they'll actually use it and connect the dots so fast cybercriminals won't realize they're already in cuffs. Maltego is trusted by global law enforcement, financial institutions and security teams worldwide. See it in action now@maltego.com.

Dave Bittner (13:24)

So what they are doing is that they choose one of these many many com objects with CLSID, the class ID that I'm not going to say it's 16 characters. And so and they just change the target of that. COM object Instead of pointing to the normally executed. NET framework that would be triggered. It was actually running the mucore agent. So that is step number one. Essentially they just redirected. If something will try to run part of the. NET framework instead of running the target, it's going to run malicious code. That's one. Now the bigger question is how is this commhandler actually triggered? What is going to do it? Here comes the really smart part where they are using scheduled task for this that is disabled by default. So if you are looking at everything that is starting for example at a startup of machine, you are not going to look at this one because again, it's disabled, it's not executed. The scheduled task is responsible for something called engine in. NET Framework. NET framework comes it's not compiled code. So what happens on every single machine when you execute. NET code for the first time, it's turning into something called illustration, which is language that's optimized on execution on that specific machine. Now you can kind of also pre compile all this. NET code so it just executes faster. Again, coming back from my background, I used to deal with this a lot when we were optimizing execution on large files of service. Really what you are doing is that you are just precompiling the. NET code. Now when this is happening is at very specific times. You install new. NET that can trigger this pre compilation of the code. You install new application, this can trigger pre compilation of the code. Sometimes it is optimization, but it happens at really very random intervals. What the operating system is doing in that case is that it will just enable the scheduled task. And the trigger for the scheduled task is not on startup, logon or specific time as is usual. The trigger here is on idle. Essentially you are telling the machine, hey, I need you to pre compile all the. NET code that you have here and just do it anytime it's good time for you. If you are not busy doing something, that's when you can start this. Net pre compilation is going to pre compile all the code and when it's done it will go back and disable the scale task again. Then at random time interval, it's not specified in any way. Again, operating system can decide I want to trigger this native image generator, that's the engine. So it will enable it again and it's completely unpredictable for you, first of all when it's going to be enabled, but also when it's going to be executed and after it's done it is disabled again. So it looks to you as if it was never executed before. And that is how the mucore agent is working. So again, not only it is hijacking one of the con classes that are completely hidden in like thousands of different logistic keys behind the 16 digit long string that is the first part of it, but is also the second. How is this triggered? How is this loaded? That's also smart because it's relying on the scheduled task that is disabled, but just appears to be disabled, but it actually executes.

Martin Zujic (17:24)

So is it fair to say that this operation is fairly sophisticated?

Dave Bittner (17:30)

Yeah, absolutely. So as I was mentioning, this was the first part. There was a lot that we documented, this was what caught our attention. But that was a lot more seeing. And again, the infrastructure that was used, downloading some malicious code used as the command and as the C2 server, for example, for communication, most of it were not malicious sites, almost all of it were legitimate sites that were just compromised and redesigned to be part of this network. So again, that is one of the best signs that we have telling us like this is much more advanced operation. They stayed stealthy, under the radar for very, very long time. So yeah, it's much bigger than what we are seeing today.

Martin Zujic (18:22)

What about resilience? I mean if, when, when defenses spring up, how do they respond to that?

Dave Bittner (18:29)

That is very common. And so they used multiple methods how to get back inside if they are kicked out. That is very comm apts. The last activity that we investigated, they really, they did something that we are seeing doing all the cyber criminals, whether they are financially motivated or state affiliated, they are switching less and less to use malware and they are switching more to use normal common binaries. So for example, in the case of Cuddly Comrades, we've seen them using different tools in the past, but the last incident, and I don't see the date here or time, but this was the last one we investigated. They used SSH and they use the tstunnel that is part of the S Tunnel suite for encryption of the TCP traffic. So it's really obfuscating the SSH communication and evading the network based mechanisms in this case. But again as with many of these groups, they used multiple tools, multiple endpoints, multiple gateways inside the system. So again like all these operations are usually very sophisticated. This is not an exception.

Martin Zujic (19:46)

Yeah, so given Everything that you've collected here about this group, what are your recommendations? How should organizations best defend themselves?

Dave Bittner (19:57)

So if I look at everything we documented for the ttps and I will also give like more general little recommendation. The first one is most of these investigations we are doing, we are seeing two big problems. The first one is that the victim doesn't have EDR or xdr. We are dealing a lot more today with all the modern threat actors. We are dealing a lot more with suspicious behavior, not clearly malicious. So you really need to have the tools that will go through this noise and highlight for you. These are the things you should investigate. And it's really good to think about it. It's no longer binary, just this is bad or this is good. It's all about percentages. Like this is we are 60% sure this is suspicious. So having really good EDR XDR that doesn't provide, doesn't generate like too much noise, it's still actionable. One of the best things, things how to detect, how to minimize the time when the threat actors are on your network. So that would be one. And again in many investigations we are just seeing these tools are not deployed. The second one that we see very often are operational gaps. And what I mean by this is some companies will buy EDR XDR solutions and then at the end all they are going to do is they will just think that that is the tool that will solve the problem. But if you think about it, EDR XDR is not really that useful if you don't have your own security operations. So having your own SOC that is stuffed properly, trained properly, it's the combination of process people and tools. Then if you don't have these people looking at those alerts and triaging, then you will end up in situation that we've seen many, many times where after investigation like this we can conclude there are red flags all over the place and no one was just responding to them. I'm not saying this particular investigation, but more broadly what we are seeing in our research. So again, make sure you have the tools that will highlight to you suspicious activity on the network, on endpoints, on servers, in the cloud. And also you have the people that can respond to it, whether it's the SOC or is the managed detection and response services that you can use. The last recommendation I would do is make sure that you are keeping up with the latest research. I mentioned it during our conversation. We are seeing a lot more of the living of the land attacks. We are seeing all kinds of cybercriminals transitioning from using specialized tool to just using whatever is available on those systems. Apts are one of the last groups where at the end they usually rely on the custom malware that's really hard to detect. But again even then they are using these tools. They are using legitimate remote monitoring and management RMM tools. So we see all these cybercriminals adopting the playbook where they just use is available on the system and they don't really bring anything new that can be easily detected on the network. So be aware of LOL bins, be aware of RMM abuse by these directives.

Martin Zujic (23:42)

Our thanks to Martin Zujek from Bitdefender for joining us. The research is titled Curly Comrades, A New Threat Actor Targeting Geopolitical Hotbeds. We'll have a link in the show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin, Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

Advertisement Voice (24:45)

Bundle and Safe With Expedia, you were made to follow your favorite band and from the front row we were made to quietly save you. More Expedia Made to travel savings vary and subject to availability. Flight inclusive packages are atoll protected.

Martin Zujic (25:03)

Cyber Innovation Day is the premier event for cyber startups, researchers and top VC funds, firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at cid Datatribe. Com.