New Phishing Campaign Leverages Malicious Linux VM to Infect Windows Devices

A new phishing campaign uses a malicious Linux virtual machine to infiltrate Windows devices and establish access to corporate networks.

Published: Nov 06, 2024

Security hero image

SHARE ARTICLE

Key Takeaways:

  • The “CRON#TRAP” campaign uses a phishing email to trick victims into installing a Linux virtual machine on their Windows devices.
  • It enables hackers to deploy a Linux VM through the QEMU emulator.
  • Attackers can establish a persistent, covert communication channel with a command-and-control server.

Cybersecurity researchers have discovered a new phishing campaign, dubbed “CRON#TRAP,” which lures victims into unknowingly installing a Linux virtual machine on their Windows systems. This sophisticated tactic provides attackers with a covert foothold in corporate networks, allowing them to operate under the radar of traditional security defenses.

A report from Securonix researchers reveals that hackers are using a new method to maintain access and steal sensitive data from targeted Windows devices. The CRON#TRAP campaign begins with a phishing email containing a link to a large zip file, disguised with a survey-related name. When opened, the zip file runs a shortcut that silently deploys a Linux virtual machine in the background using the QEMU emulator.

QEMU is a free open-source tool that can be used to emulate various hardware architectures. It supports full-system emulation, and user mode emulation, as well as can achieve near-native performance when used with virtualization technologies.

How are hackers using a hidden Linux VM to gain persistent access?

Researchers discovered that the Linux VM instance includes a preconfigured backdoor, designed to establish a secure communication channel with a command-and-control (C2) server located in the US. Their analysis of the QEMU image, known as PivotBox, revealed a log of all commands executed within the emulated Linux environment.

“The commands executed by the threat actor reveal a clear intention to establish persistence, maintain covert access,” said Tim Peck, Senior Threat Researcher at Securonix. “They were highly focused on establishing a stable, reliable, and stealthy point of access within the target’s network.”

New Phishing Attack Leverages Malicious Linux VM to Infect Windows Devices
Contents of OneAmerica Survey.zip (Image Credit: Microsoft)

What steps can organizations take to block QEMU-based attacks?

This isn’t the first instance of hackers exploiting the QEMU tool to set up stealthy communication with their command-and-control server. To counter such threats, experts recommend training employees to recognize and avoid phishing emails. Organizations should also implement endpoint monitoring to detect suspicious processes like ‘qemu.exe’ on Windows devices.

Administrators are advised to blocklist QEMU and other virtualization tools to prevent unauthorized use. Moreover, disabling virtualization features in the system BIOS can also help detect and prevent similar campaigns.

SHARE ARTICLE