Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label corporate network breach. Show all posts

New Phishing Attacks Use Backdoored Linux VMs to Infect Windows Systems

 

A recent phishing campaign, named 'CRON#TRAP,' is targeting Windows systems by deploying a Linux virtual machine with an embedded backdoor, allowing covert access to corporate networks.

While attackers have previously used virtual machines in malicious activities like ransomware and cryptomining, these installations were often done manually after gaining initial access. However, Securonix researchers identified that this new campaign automates the installation of a Linux VM through phishing emails, giving attackers a persistent foothold in corporate environments.

The phishing emails mimic a "OneAmerica survey," including a 285MB ZIP file that sets up a Linux virtual machine with a backdoor once opened. The ZIP archive contains a Windows shortcut labeled "OneAmerica Survey.lnk" and a folder named "data," which houses the QEMU application disguised as "fontdiag.exe."

When executed, the shortcut triggers a PowerShell command, extracting files to the "%UserProfile%\datax" directory and launching "start.bat" to set up a QEMU Linux VM. During installation, a fake server error message in a PNG format is displayed as a decoy, suggesting a broken survey link. This custom VM, called 'PivotBox,' includes a preconfigured backdoor for continuous command-and-control (C2) communication, enabling covert background operations.

The use of QEMU—a legitimate, digitally signed virtualization tool—means Windows security systems often fail to detect these malicious processes within the virtual environment.

The campaign’s backdoor mechanism uses a tool called Chisel for secure tunneling over HTTP and SSH, allowing attackers to maintain contact with the compromised system, even if firewalls are in place. To ensure persistence, the QEMU VM is set to restart on reboot, while SSH keys are uploaded to eliminate re-authentication requirements.

Securonix researchers noted two critical commands: 'get-host-shell,' which opens an interactive shell on the host for command execution, and 'get-host-user,' which checks user privileges. These commands facilitate activities like surveillance, network management, payload deployment, file control, and data exfiltration, enabling attackers to adapt and maximize their impact on target systems.

The CRON#TRAP campaign is not the first instance of QEMU misuse in stealthy attacks. In March 2024, Kaspersky observed a similar tactic, where a lightweight backdoor within a 1MB Kali Linux VM used QEMU to create hidden network interfaces and connect to a remote server.

To mitigate these types of attacks, experts recommend monitoring for processes like 'qemu.exe' in user-accessible folders, blocking QEMU and similar virtualization tools, and disabling virtualization in critical systems’ BIOS configurations.