The attackers then used the Import-VM and Start-VM PowerShell cmdlets to import the virtual machine into Hyper-V and start it with the name WSL — a deception tactic given that WSL on Windows stands for Windows Subsystem for Linux, another feature that allows running Linux containers under the Windows kernel. More popular than Hyper-V for virtualization on Windows, WSL is widely used by developers, making its presence less likely to receive scrutiny.
The Alpine Linux VM is very small and hosts only two custom implants that Bitdefender has dubbed CurlyShell and CurlCat. They are both built using libcurl, an open-source network transfer library that supports a large variety of protocols.
CurlyShell uses libcurl to connect to a command-and-control (C2) server and set up a reverse shell, meaning it listens for commands issued by the server, passes them to the Linux command line, and returns the output. Meanwhile, CurlCat acts as a proxy for tunneling SSH traffic as HTTP requests, making that traffic harder to detect by network monitoring tools.
