Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label stealth malware. Show all posts

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







New Phishing Attacks Use Backdoored Linux VMs to Infect Windows Systems

 

A recent phishing campaign, named 'CRON#TRAP,' is targeting Windows systems by deploying a Linux virtual machine with an embedded backdoor, allowing covert access to corporate networks.

While attackers have previously used virtual machines in malicious activities like ransomware and cryptomining, these installations were often done manually after gaining initial access. However, Securonix researchers identified that this new campaign automates the installation of a Linux VM through phishing emails, giving attackers a persistent foothold in corporate environments.

The phishing emails mimic a "OneAmerica survey," including a 285MB ZIP file that sets up a Linux virtual machine with a backdoor once opened. The ZIP archive contains a Windows shortcut labeled "OneAmerica Survey.lnk" and a folder named "data," which houses the QEMU application disguised as "fontdiag.exe."

When executed, the shortcut triggers a PowerShell command, extracting files to the "%UserProfile%\datax" directory and launching "start.bat" to set up a QEMU Linux VM. During installation, a fake server error message in a PNG format is displayed as a decoy, suggesting a broken survey link. This custom VM, called 'PivotBox,' includes a preconfigured backdoor for continuous command-and-control (C2) communication, enabling covert background operations.

The use of QEMU—a legitimate, digitally signed virtualization tool—means Windows security systems often fail to detect these malicious processes within the virtual environment.

The campaign’s backdoor mechanism uses a tool called Chisel for secure tunneling over HTTP and SSH, allowing attackers to maintain contact with the compromised system, even if firewalls are in place. To ensure persistence, the QEMU VM is set to restart on reboot, while SSH keys are uploaded to eliminate re-authentication requirements.

Securonix researchers noted two critical commands: 'get-host-shell,' which opens an interactive shell on the host for command execution, and 'get-host-user,' which checks user privileges. These commands facilitate activities like surveillance, network management, payload deployment, file control, and data exfiltration, enabling attackers to adapt and maximize their impact on target systems.

The CRON#TRAP campaign is not the first instance of QEMU misuse in stealthy attacks. In March 2024, Kaspersky observed a similar tactic, where a lightweight backdoor within a 1MB Kali Linux VM used QEMU to create hidden network interfaces and connect to a remote server.

To mitigate these types of attacks, experts recommend monitoring for processes like 'qemu.exe' in user-accessible folders, blocking QEMU and similar virtualization tools, and disabling virtualization in critical systems’ BIOS configurations.