A recent discovery by researchers at Securonix has revealed a new tactic employed by threat actors to target organizations using emulated Linux environments for staging malware and concealing malicious activities. This novel approach allows attackers to maintain a stealthy presence on target systems and harvest data without being detected by traditional antivirus and malware detection systems.
Securonix identified an attacker using this technique, dubbed CRON#TRAP, to execute a variety of malicious activities using a custom emulated QEMU Linux environment. QEMU, an open-source virtualization tool, was utilized to emulate a Linux installation of Tiny Core Linux, a lightweight distribution suitable for resource-constrained environments. This marks the first known instance of attackers using QEMU for malicious purposes outside of cryptomining.
The CRON#TRAP campaign was observed to begin with a phishing email containing a link to a suspiciously large zip file with a survey-themed name. Upon extraction, the zip file deployed a QEMU virtual box on the victim machine, containing a preconfigured backdoor that connected the system to a command-and-control server in the US. The attackers used Chisel, a legitimate tool for creating secure data tunnels, to implement the backdoor within the emulated Linux environment.
Analysis of the QEMU image, named PivotBox by the attackers, revealed a detailed history of commands executed by the threat actor within the emulated environment. These commands included network testing, reconnaissance, user enumeration, tool installation, payload execution, data exfiltration, privilege escalation, and persistence. The goal of the attacker was to establish a stable and covert point of access within the target’s network, emphasizing the importance of maintaining persistent remote access.
Securonix researchers noted that the commands executed by the threat actor indicated a clear intention to establish persistence and maintain covert access within the target’s network. The use of SSH key generation and uploads to file-sharing services demonstrated the attacker’s efforts to ensure ongoing remote access even after system reboots.
The use of emulated Linux environments for malicious activities underscores the constant evolution of tactics employed by threat actors to bypass security mechanisms. To protect against campaigns like CRON#TRAP, organizations are advised to educate users on recognizing phishing emails and suspicious attachments. Additionally, implementing measures such as application whitelisting and endpoint monitoring can help detect and mitigate such attacks.
Monitoring for unconventional execution of tools like QEMU and unexpected network indicators, such as persistent SSH connections, can also aid in detecting malicious campaigns. By staying vigilant and proactive in security measures, organizations can prevent and mitigate the impact of advanced cyber threats like CRON#TRAP.