Category: Microsoft|Nov 7, 2024 | Author: Admin

Windows infected with backdoored Linux VMs in new phishing attacks

Share on

A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks.

Using virtual machines to conduct attacks is nothing new, with ransomware gangs and cryptominers using them to stealthily perform malicious activity. However, threat actors commonly install these manually after they breach a network.

 

A new campaign spotted by Securonix researchers is instead using phishing emails to perform unattended installs of Linux virtual machines to breach and gain persistence on corporate networks.

 

The phishing emails pretend to be a "OneAmerica survey" that includes a large 285MB ZIP archive to install a Linux VM with a pre-installed backdoor.

 

This ZIP file contains a Windows shortcut named "OneAmerica Survey.lnk" and a "data" folder that contains the QEMU virtual machine application, with the main executable disguised as fontdiag.exe.

 

When the shortcut is launched, it executes a PowerShell command to extract the downloaded archive to the "%UserProfile%\datax" folder and then launch the "start.bat" to set up and launch a custom QEMU Linux virtual machine on the device.

 

While the virtual machine is being installed, the same batch file will display a PNG file downloaded from a remote site that shows a fake server error as a decoy, implying a broken link to the survey.

 

The custom TinyCore Linux VM named 'PivotBox' is preloaded with a backdoor that secures persistent C2 communication, allowing the attackers to operate in the background.

 

Since QEMU is a legitimate tool that is also digitally signed, Windows does not raise any alarms about it running, and security tools cannot scrutinize what malicious programs are running inside the virtual machine.

 

Backdoor operations


At the heart of the backdoor is a tool called Chisel, a network tunneling program that is pre-configured to create secure communication channels with a specific command and control (C2) server via WebSockets.

 

Chisel tunnels data over HTTP and SSH, allowing the attackers to communicate with the backdoor on the compromised host even if a firewall protects the network.

 

For persistence, the QEMU environment is set to start automatically after the host reboots via 'bootlocal.sh' modifications. At the same time, SSH keys are generated and uploaded to avoid having to re-authenticate.

 

Securonix highlights two commands, namely 'get-host-shell' and 'get-host-user.' The first spawns an interactive shell on the host, allowing command execution, while the second is used to determine the privileges.

 

The commands that can be executed then include surveillance, network and payload management actions, file management, and data exfiltration operations, so the attackers have a versatile set that enables them to adapt to the target and perform damaging actions.


Defending from QEMU abuse
The CRON#TRAP campaign isn't the first occurrence of hackers abusing QEMU to establish stealthy communications to their C2 server.

 

In March 2024, Kaspersky reported another campaign where threat actors used QEMU to create virtual network interfaces and a socket-type network device to connect to a remote server.

 

In that case, a very light backdoor hidden inside a Kali Linux virtual machine running on just 1MB of RAM was used to set up a covert communications tunnel.

 

To detect and block these attacks, consider placing monitors for processes like 'qemu.exe' executed from user-accessible folders, put QEMU and other virtualization suites in a blocklist, and disable or block virtualization in general on critical devices from the system BIOS.

Sources: bleepingcomputer.com

Sponsored Ads:

Comments:


Nebraska Man pleads guilty to $3.5 million cryptojacking scheme

Category: IT|Dec 6, 2024 | Author: Admin

Microsoft says having a TPM is "non-negotiable" for Windows 11

Category: Microsoft|Dec 5, 2024 | Author: Admin

Japan warns of IO-Data zero-day router flaws exploited in attacks

Category: IT|Dec 4, 2024 | Author: Admin

Korea arrests CEO for adding DDoS feature to satellite receivers

Category: IT|Dec 3, 2024 | Author: Admin

Google Chrome’s AI feature lets you quickly check website trustworthiness

Category: Google|Dec 2, 2024 | Author: Admin

Novel phising campaign uses corrupted Word documents to evade security

Category: IT|Dec 1, 2024 | Author: Admin

SpyLoan Android malware on Google play installed 8 million times

Category: Google|Nov 30, 2024 | Author: Admin

New Windows Server 2012 zero-day gets free, unofficial patches

Category: Microsoft|Nov 29, 2024 | Author: Admin

Microsoft re-releases Exchange updates after fixing mail delivery

Category: Microsoft|Nov 28, 2024 | Author: Admin

Cloudflare says it lost 55% of logs pushed to customers for 3.5 hours

Category: IT|Nov 27, 2024 | Author: Admin

Hackers exploit critical bug in Array Networks SSL VPN products

Category: IT|Nov 26, 2024 | Author: Admin

Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint

Category: Microsoft|Nov 25, 2024 | Author: Admin

Meta removes over 2 million accounts pushing pig butchering scams

Category: IT|Nov 24, 2024 | Author: Admin

Hackers abuse Avast anti-rootkit driver to disable defenses

Category: IT|Nov 23, 2024 | Author: Admin

Windows 11 KB5046740 update released with 14 changes and fixes

Category: Microsoft|Nov 22, 2024 | Author: Admin
more