A Sophisticated Threat Vector

A recent phishing campaign, dubbed “CRON#TRAP,” has been discovered by Securonix researchers that infects Windows systems with a Linux virtual machine (VM) containing a pre-installed backdoor. This attack vector is unusual, as threat actors typically manually install these VMs to breach and gain persistence on corporate networks.

The Use of Phishing Emails for Unattended Installs

In this campaign, phishing emails are used to perform unattended installs of Linux VMs. The emails claim to be from a “OneAmerica survey” and include a large 285MB ZIP archive that contains the Linux VM with a pre-installed backdoor.

• Email Deception: The ZIP file is crafted to deceive users into installing the Linux VM.
• Malicious Shortcut: A Windows shortcut named “OneAmerica Survey.lnk” is created, which executes a PowerShell command to extract the downloaded archive to the user’s profile directory and launch a custom QEMU virtual machine on the device.

The Custom QEMU Linux Virtual Machine

The custom TinyCore Linux VM, dubbed “PivotBox,” is preloaded with a backdoor that secures persistent communication channels (C2) between the attackers and their command and control (C2) server. The backdoor utilizes a tool called Chisel, a network tunneling program that creates secure communication channels via WebSockets.

• Chisel Network Tunneling: Chisel tunnels data over HTTP and SSH, allowing the attackers to communicate with the backdoor on the compromised host even if a firewall protects the network.
• Persistence Ensured: The QEMU environment is set to start automatically after the host reboots via custom ‘bootlocal.sh’ modifications.

Threat Actor’s Command History

Securonix highlights two commands that can be executed through the backdoor:

• get-host-shell: Spawns an interactive shell on the host, allowing command execution.
• get-host-user: Used to determine the privileges. These commands enable the attackers to perform a range of surveillance, network, payload management, file management, and data exfiltration operations.

Defending Against QEMU Abuse

The CRON#TRAP campaign highlights that threat actors are abusing QEMU to establish stealthy communications with their C2 server. This is not an isolated incident; in March 2024, Kaspersky reported another campaign where threat actors used QEMU to create virtual network interfaces and a socket-type network device to connect to a remote server.

To defend against these attacks, consider the following measures:

• Process Monitoring: Place monitors for processes like “qemu.exe” executed from user-accessible folders.
• Virtualization Suite Blocklisting: Put QEMU and other virtualization suites in a blocklist.
• BIOS Configuration: Disable or block virtualization in general on critical devices from the system BIOS.

Conclusion

By taking these steps, organizations can reduce the risk of infection and protect their networks against this sophisticated phishing campaign. It is essential to remain vigilant and stay informed about emerging threat vectors to ensure effective defense strategies.

References

• Securonix (2024) – CRON#TRAP Phishing Campaign
• Kaspersky (2024) – Threat Actors Abusing QEMU for Stealthy Communications