The attackers then used the Import-VM and Begin-VM PowerShell cmdlets to import the digital machine into Hyper-V and begin it with the title WSL — a deception tactic on condition that WSL on Home windows stands for Home windows Subsystem for Linux, one other characteristic that enables working Linux containers below the Home windows kernel. Extra in style than Hyper-V for virtualization on Home windows, WSL is broadly utilized by builders, making its presence much less more likely to obtain scrutiny.
The Alpine Linux VM may be very small and hosts solely two customized implants that Bitdefender has dubbed CurlyShell and CurlCat. They’re each constructed utilizing libcurl, an open-source community switch library that helps a big number of protocols.
CurlyShell makes use of libcurl to hook up with a command-and-control (C2) server and arrange a reverse shell, that means it listens for instructions issued by the server, passes them to the Linux command line, and returns the output. In the meantime, CurlCat acts as a proxy for tunneling SSH site visitors as HTTP requests, making that site visitors tougher to detect by community monitoring instruments.
