Threat actor groups such as Akira Ransomware, Curly COMrades, and UNC3886 have been observed abusing native Windows Hyper-V virtualization features to create hidden Virtual Machines (VM), establishing covert, long term operations that include the adversary performing internal reconnaissance, deploying malware implants and proxying network activity whilst evading host-centric monitoring tools.

Organizations that aren’t auditing virtualized endpoints and that don’t have tailored endpoint detections alongside network observability may be at risk.

This blog post will examine the methods used by these malicious actors to abuse native virtualization features and detection strategies organizations can implement against these attacks.

What is Hyper-V?

Hyper-V is a built-in virtualization platform in Windows operating systems known as a hypervisor.

There are two main hypervisor types, type-1 (bare-metal) and type-2 (hosted). Hypervisors allow virtual environments to share hardware resources from a single host.

Type-1 hypervisors, such as VMware ESXi and Microsoft Hyper-V, are hypervisors that run directly on a host’s hardware with no other software or operating system in between it and the hardware.

Type-2 hypervisors, such as VirtualBox and VMware Workstation, run as an application on top of the host’s operating system, sharing hardware resources with the host.

Malicious Actors Abusing Hyper-V

Threat intelligence reports of this activity show malicious actors beginning these operations by executing commands aimed at enabling Microsoft’s Hyper-V features and disabling Hyper-V’s management interface using DISM.exe on their victim’s host.

Deployment Image Servicing and Management (DISM) is a command-line tool that is used to modify Windows images, allowing for Windows features to be enabled or disabled directly from the host’s command line.

Once the victim’s host has Hyper-V enabled and the Hyper-V management interface disabled, the malicious actors can either create a virtual machine or import a custom virtual machine image.

In the below example the malicious actors obfuscated and redirected commands to download their custom virtual machine image from a malicious C2 domain.

The files were masqueraded as a video file (mp4) when downloaded but were saved as a RAR file, which contained the attackers compressed VM image.

Subsequently the attacker extracted their downloaded VM image to a folder on their victim’s host using WinRAR.

They then used PowerShell’s Import-VM cmdlet to import the VM image into Hyper-V Manager.

Finally, the attacker started the malicious virtual machine using PowerShell’s cmdlet.

Security Risk Advisors

Message History

Delivery option(s)