CRON#TRAP Phishing Attack: A Linux VM Backdoor Hides Inside Windows Systems
CRON#TRAP Campaign Overview
CRON#TRAP is a recent phishing attack discovered by Securonix researchers, targeting corporate networks through a Linux VM deployed via phishing emails. The email, disguised as a survey from OneAmerica, contains a 285MB ZIP file with a Windows shortcut and a custom QEMU virtual machine. When the file is opened, it installs the Linux VM, named PivotBox, with a pre-configured backdoor for remote access.
How CRON#TRAP Operates
- Infection via Phishing: A phishing email with a ZIP attachment claims to be a survey but hides a malicious payload.
- VM Deployment: Executing the file installs a TinyCore Linux VM on the host through QEMU, which appears legitimate and is digitally signed, bypassing some security scrutiny.
Start.bat batch file installing the QEMU Linux virtual machine
Source: BleepingComputer
3. Chisel Backdoor: The VM contains Chisel, a tunneling tool that uses HTTP and SSH to communicate with a remote Command and Control (C2) server.
4. Persistence and Commands: The backdoor enables persistence via bootlocal.sh
, ensuring the VM restarts on reboot. Commands include get-host-shell
(to access an interactive shell) and get-host-user
(to assess user privileges), with actions ranging from network surveillance to data exfiltration.
LNK file contents
Source: Securonix
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Key Technical Points
- Decoy Tactics: While installing, the script displays a server error message as a distraction.
- Persistence: SSH keys generated during setup allow persistent communication without repeated authentication.
- Stealth: QEMU’s signed status allows it to run undetected, while malware inside the VM is less visible to host security tools.
Threat actor’s command history
Source: Securonix
Preventing and Detecting QEMU-Based Attacks
To defend against such attacks, implement the following strategies:
- Process Monitoring: Monitor and flag unusual executions of
qemu.exe
from non-administrator folders. - Application Whitelisting: Restrict or block QEMU and other virtualization software on critical systems where virtualization is not essential.
- BIOS and System Security: Disable unnecessary virtualization features in BIOS, and review VM permissions on workstations.
- Endpoint Detection and Response (EDR): Use EDR tools that can detect unusual network activity, such as unexpected SSH or HTTP connections to suspicious IP addresses.
Trending: Blue Team Tool: Ghostport
Comparing with Similar Tactics
This isn’t the first case of QEMU being used for covert channels. In March 2024, Kaspersky documented a campaign utilizing a Kali Linux VM running on minimal resources to establish a tunnel. However, CRON#TRAP’s use of a fully functional Linux environment with Chisel significantly enhances the attackers’ capabilities for ongoing, stealthy network infiltration and data theft.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com