Key Takeaways:
Cybersecurity researchers have discovered a new phishing campaign, dubbed “CRON#TRAP,” which lures victims into unknowingly installing a Linux virtual machine on their Windows systems. This sophisticated tactic provides attackers with a covert foothold in corporate networks, allowing them to operate under the radar of traditional security defenses.
A report from Securonix researchers reveals that hackers are using a new method to maintain access and steal sensitive data from targeted Windows devices. The CRON#TRAP campaign begins with a phishing email containing a link to a large zip file, disguised with a survey-related name. When opened, the zip file runs a shortcut that silently deploys a Linux virtual machine in the background using the QEMU emulator.
QEMU is a free open-source tool that can be used to emulate various hardware architectures. It supports full-system emulation, and user mode emulation, as well as can achieve near-native performance when used with virtualization technologies.
Researchers discovered that the Linux VM instance includes a preconfigured backdoor, designed to establish a secure communication channel with a command-and-control (C2) server located in the US. Their analysis of the QEMU image, known as PivotBox, revealed a log of all commands executed within the emulated Linux environment.
“The commands executed by the threat actor reveal a clear intention to establish persistence, maintain covert access,” said Tim Peck, Senior Threat Researcher at Securonix. “They were highly focused on establishing a stable, reliable, and stealthy point of access within the target’s network.”
This isn’t the first instance of hackers exploiting the QEMU tool to set up stealthy communication with their command-and-control server. To counter such threats, experts recommend training employees to recognize and avoid phishing emails. Organizations should also implement endpoint monitoring to detect suspicious processes like ‘qemu.exe’ on Windows devices.
Administrators are advised to blocklist QEMU and other virtualization tools to prevent unauthorized use. Moreover, disabling virtualization features in the system BIOS can also help detect and prevent similar campaigns.