The cyber landscape is perpetually reshaped by sophisticated threat actors seeking to compromise critical infrastructure and sensitive data. A new, previously undocumented Advanced Persistent Threat (APT) group, dubbed Curly COMrades, has emerged on the scene, exhibiting highly advanced techniques. Recent observations reveal their focus on entities within Georgia and Moldova, employing a novel approach to gain and maintain long-term access: NGEN COM hijacking.

This deep dive explores the tactics, techniques, and procedures (TTPs) of Curly COMrades, shedding light on their strategic objectives and offering critical insights for cybersecurity professionals tasked with defending against such potent threats.

Introducing Curly COMrades: A New APT on the Horizon

Curly COMrades represents a significant addition to the roster of state-sponsored or highly organized APT groups. Their targets in Georgia and Moldova suggest a geopolitical motivation, likely aimed at cyber espionage. Unlike transient opportunistic attacks, their campaign is meticulously designed for sustained network presence.

Their primary objective, repeatedly observed, involves the exfiltration of the NTDS database from domain controllers. This database is the linchpin of Windows network authentication, containing sensitive user password hashes and other critical authentication data. Successfully obtaining the NTDS database often grants attackers near-unfettered access to an organization’s entire Windows infrastructure, enabling widespread lateral movement and persistent control.

NGEN COM Hijacking Explained

The core of Curly COMrades’ operational strategy revolves around a sophisticated technique known as NGEN COM hijacking. To understand this, we first need to quickly review some underlying Windows components:

• COM (Component Object Model): A Microsoft technology that allows software components to interact with each other in a language-agnostic way. Many Windows features and applications rely on COM objects.
• NGEN (Native Image Generator): A utility that improves the startup performance of managed applications by pre-compiling Intermediate Language (IL) code to native code. This process can sometimes involve the registration of COM objects.

NGEN COM hijacking exploits vulnerabilities or misconfigurations in how NGEN processes register COM objects. By manipulating the registration process, Curly COMrades can force legitimate system processes to load malicious COM objects instead of their intended benign counterparts. This allows them to execute arbitrary code with elevated privileges, bypassing traditional security controls that might monitor direct process injection or suspicious executable launches.

The insidious nature of NGEN COM hijacking lies in its ability to leverage legitimate system utilities and processes, making detection challenging. It’s a prime example of “living off the land” techniques, where attackers abuse inherent system functionalities rather than bringing their own tools, thus blending seamlessly into normal network activity.

Strategic Intent: Long-Term Access and NTDS Exfiltration

The repeated attempts to extract the NTDS database underscore Curly CO Mrades’ strategic intent: to establish enduring access and maintain a pervasive presence within compromised networks. Obtaining the NTDS database facilitates:

• Credential Harvesting: Extracting password hashes allows for offline cracking, providing legitimate user credentials.
• Golden Ticket Attacks: With the KRBTGT account hash (part of the NTDS database), attackers can forge Kerberos tickets, granting themselves administrative access to any resource in the domain without needing individual user credentials.
• Lateral Movement: Armed with valid credentials, the APT group can effortlessly traverse the network, escalating privileges and expanding their footprint undetected.

This focus on such a high-value target like the NTDS database highlights the group’s advanced capabilities and their understanding of Windows enterprise environments. Their persistence in these attempts also points to a clear, pre-defined objective beyond simple data theft.

Remediation Actions and Mitigations

Defending against an APT group employing techniques like NGEN COM hijacking and targeting critical assets requires a multi-layered and proactive security posture. Here are essential remediation actions and mitigation strategies:

• Patch Management: Ensure all systems, especially domain controllers and critical servers, are fully patched and up-to-date with the latest security updates. Microsoft frequently releases fixes for vulnerabilities that could be exploited in COM-related attacks. Regularly check for CVEs related to COM and NGEN.
• Endpoint Detection and Response (EDR): Deploy EDR solutions that can monitor for anomalous process behavior, suspicious COM object registrations, and unusual NGEN activity. Look for EDRs with strong behavioral analysis capabilities.
• Active Directory Security:
  • Implement strong, unique passwords for all accounts, especially privileged ones.
  • Enable multi-factor authentication (MFA) for all administrative accounts and as many user accounts as possible.
  • Regularly rotate the KRBTGT account password (at least twice a year) to mitigate Golden Ticket attack risks.
  • Monitor Event ID 4662 (Object specific access was granted) and 4742 (A computer account was changed) for suspicious modifications to domain controller objects.
• Network Segmentation: Isolate critical assets like domain controllers from the broader network through effective network segmentation. This limits lateral movement options for attackers.
• Least Privilege Principle: Enforce the principle of least privilege for all users and services. Restrict administrative rights to only those who absolutely require them for their job functions.
• Application Whitelisting: Implement application whitelisting to prevent unauthorized executables and libraries from running on critical systems. This can significantly hamper COM hijacking attempts.
• Regular Backups: Maintain offsite, encrypted, and immutable backups of your NTDS database and other critical system data. Test recovery procedures regularly.
• Threat Hunting: Proactively hunt for indicators of compromise (IOCs) associated with NGEN COM hijacking or NTDS replication attacks. Look for unusual network traffic originating from domain controllers or unexpected process spawning.

No specific CVE has been publicly assigned to this particular NGEN COM hijacking vector as of this writing. However, organizations should monitor advisories from their security vendors and national CERTs for any emerging vulnerabilities (CVE-2023-XXXXX) that could enable similar attacks.

Tools for Detection and Mitigation

Leveraging the right tools is crucial in the fight against sophisticated APTs like Curly COMrades. Here’s a table of relevant tools that can aid in detection, scanning, and mitigation:

Tool Name	Purpose	Link
Sysinternals Process Monitor	Real-time file system, registry, and process/thread activity monitoring; useful for observing COM object registration.	https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
ADRecon	Gathers information about the Active Directory environment for security assessments.	https://github.com/HuubKe/ADRecon
Mimikatz	While primarily an attack tool, understanding its capabilities (like LSASS and NTDS dumping) informs defensive strategies.	https://github.com/gentilkiwi/mimikatz
BloodHound	Maps Active Directory attack paths; helps identify privilege escalation and lateral movement opportunities.	https://bloodhoundenterprise.io/open-source
Microsoft Defender for Endpoint	Comprehensive EDR solution for behavioral detection and threat intelligence.	https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/
Varonis Data Security Platform	Monitors data access and behavior on file servers and Active Directory, detecting abnormal activity.	https://www.varonis.com/

Conclusion

The emergence of Curly COMrades with their sophisticated NGEN COM hijacking techniques and persistent targeting of NTDS databases serves as a stark reminder of the evolving threat landscape. Organizations, especially those in geopolitical hotspots, must fortify their defenses, focusing on robust Active Directory security, comprehensive endpoint monitoring, and proactive threat hunting. Staying informed about new TTPs and implementing layered security controls are paramount to thwarting such advanced and determined adversaries.