CRON#TRAP Phishing Attack: A Linux VM Backdoor Hides Inside Windows Systems

by | Nov 5, 2024 | News




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

CRON#TRAP Campaign Overview

CRON#TRAP is a recent phishing attack discovered by Securonix researchers, targeting corporate networks through a Linux VM deployed via phishing emails. The email, disguised as a survey from OneAmerica, contains a 285MB ZIP file with a Windows shortcut and a custom QEMU virtual machine. When the file is opened, it installs the Linux VM, named PivotBox, with a pre-configured backdoor for remote access.

How CRON#TRAP Operates

  1. Infection via Phishing: A phishing email with a ZIP attachment claims to be a survey but hides a malicious payload.
  2. VM Deployment: Executing the file installs a TinyCore Linux VM on the host through QEMU, which appears legitimate and is digitally signed, bypassing some security scrutiny.

Start.bat batch file installing the QEMU Linux virtual machineStart.bat batch file installing the QEMU Linux virtual machine
Source: BleepingComputer

3. Chisel Backdoor: The VM contains Chisel, a tunneling tool that uses HTTP and SSH to communicate with a remote Command and Control (C2) server.

4. Persistence and Commands: The backdoor enables persistence via bootlocal.sh, ensuring the VM restarts on reboot. Commands include get-host-shell (to access an interactive shell) and get-host-user (to assess user privileges), with actions ranging from network surveillance to data exfiltration.

LNK file contentsLNK file contents
Source: Securonix

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Key Technical Points

  • Decoy Tactics: While installing, the script displays a server error message as a distraction.
  • Persistence: SSH keys generated during setup allow persistent communication without repeated authentication.
  • Stealth: QEMU’s signed status allows it to run undetected, while malware inside the VM is less visible to host security tools.

Threat actor's command historyThreat actor’s command history
Source: Securonix

Preventing and Detecting QEMU-Based Attacks

To defend against such attacks, implement the following strategies:

  • Process Monitoring: Monitor and flag unusual executions of qemu.exe from non-administrator folders.
  • Application Whitelisting: Restrict or block QEMU and other virtualization software on critical systems where virtualization is not essential.
  • BIOS and System Security: Disable unnecessary virtualization features in BIOS, and review VM permissions on workstations.
  • Endpoint Detection and Response (EDR): Use EDR tools that can detect unusual network activity, such as unexpected SSH or HTTP connections to suspicious IP addresses.




Comparing with Similar Tactics

This isn’t the first case of QEMU being used for covert channels. In March 2024, Kaspersky documented a campaign utilizing a Kali Linux VM running on minimal resources to establish a tunnel. However, CRON#TRAP’s use of a fully functional Linux environment with Chisel significantly enhances the attackers’ capabilities for ongoing, stealthy network infiltration and data theft.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This