Alert: Windows Systems Targeted by Stealthy Linux VM Phishing Campaign. Here is a quick look.
CRON#TRAP Phishing Campaign Overview
A new phishing campaign, dubbed CRON#TRAP, has emerged, targeting Windows systems. This campaign infects Windows with a Linux virtual machine (VM) that contains a built-in backdoor, allowing attackers to gain stealthy access to corporate networks.
The Attack Method
The phishing emails pretend to be a “OneAmerica survey” and include a large 285MB ZIP archive. This archive contains a Windows shortcut named “OneAmerica Survey.lnk” and a “data” folder with the QEMU virtual machine application. The main executable is disguised as fontdiag.exe. When the shortcut is launched, it executes a PowerShell command to extract the downloaded archive to the “%UserProfile%\datax” folder and then launches “start.bat” to set up and launch a custom QEMU Linux VM on the device.
The Backdoor
The custom TinyCore Linux VM, named “PivotBox,” is preloaded with a backdoor that secures persistent command and control (C2) communication. This backdoor uses a tool called Chisel, which creates secure communication channels with a specific C2 server via WebSockets. Chisel tunnels data over HTTP and SSH, allowing attackers to communicate with the backdoor on the compromised host even if a firewall protects the network.
Persistence and Detection
To ensure persistence, the QEMU environment is set to start automatically after the host reboots via modifications to “bootlocal.sh.” SSH keys are generated and uploaded to avoid re-authentication. Securonix highlights two commands, “get-host-shell” and “get-host-user,” which allow attackers to execute commands, determine privileges, and perform surveillance, network and payload management actions, file management, and data exfiltration operations.
Detection and Prevention
To detect and block these attacks, it is recommended to:
- Monitor processes like “qemu.exe” executed from user-accessible folders.
- Block QEMU and other virtualization suites.
- Disable or block them if necessary.
Conclusion
The CRON#TRAP campaign is a sophisticated attack that leverages phishing emails to install a backdoored Linux VM on Windows systems. This method allows attackers to gain persistent access to corporate networks and perform a range of malicious activities. Organizations must remain vigilant and implement robust security measures to detect and prevent such attacks.
You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it
Share this content:
Post Comment