HomeCyber BalkansCRON#TRAP Campaign Targets Windows Machine using Weaponized Linux Virtual Machine

CRON#TRAP Campaign Targets Windows Machine using Weaponized Linux Virtual Machine

Published on

spot_img

A recent cybersecurity campaign has caught the attention of Securonix researchers, who discovered a sophisticated attack involving weaponized Linux virtual machines targeting Windows systems. The campaign, dubbed CRON#TRAP, utilizes Linux environments to infiltrate Windows machines and execute malicious activities.

The attack begins with a phishing email containing a deceptive shortcut file disguised as “OneAmerica Survey.” Once executed, this file deploys a hidden 285MB package that installs QEMU (Quick Emulator), a virtualization tool, under the guise of “fontdiag.exe” to avoid detection.

The malicious actors behind the campaign create a concealed Linux environment called “PivotBox,” running Tiny Core Linux, with a predetermined backdoor that establishes a connection to a Command and Control (C2) server. Within this environment, custom commands such as “get-host-shell” and “get-host-user” enable interaction with the host system using SSH keys for persistent access.

Various tools like vim, openssh, and 7zip are employed to manipulate the system, ensuring persistence through modified scripts and backed-up configurations. The primary targets of the CRON#TRAP campaign are North America and Europe, posing a significant challenge for traditional antivirus solutions due to the hidden virtual environment operated by QEMU.

The attack strategy includes network testing capabilities, payload manipulation, and data exfiltration using free file-sharing services. This multi-stage approach highlights a meticulously planned operation designed for long-term stealth and system compromise.

The analysis of “crondx” (Chisel) reveals a critical backdoor mechanism embedded within the campaign, utilizing a 64-bit ELF executable to establish covert communication channels with a C2 server through websocket protocols. The customized implementation of the Golang-compiled binary enables remote access over encrypted channels, allowing threat actors to execute commands and exfiltrate data undetected.

By launching an emulated Linux environment via QEMU triggered by a phishing email, the attackers successfully evade traditional AV detection on Windows machines. The use of Chisel for legitimate tunneling over HTTP with SSH security enhances the malware’s stealth capabilities, allowing for persistent remote access.

Persistence mechanisms like modified startup scripts and SSH key implementations facilitate continued compromise of the system. The presence of custom command aliases within the isolated QEMU environment further allows for direct interaction with the host machine.

The investigation into the “.ash_history” file reveals a modular approach to system infiltration, documenting the threat actor’s activities, including tool installation, system reconnaissance, and payload deployment. By leveraging legitimate software tools to maintain access and evade security controls, the attackers demonstrate a sophisticated and well-planned operation.

To mitigate the risks associated with such attacks, cybersecurity experts recommend avoiding unsolicited file downloads, treating external links with caution, monitoring for suspicious activity in common malware staging directories, watching for legitimate software running from unusual locations, and enabling robust endpoint logging for improved detection.

Overall, the CRON#TRAP campaign underscores the need for heightened vigilance and proactive cybersecurity measures to defend against increasingly sophisticated cyber threats.

Source link

Latest articles

US-UK Armed Forces Dating Service Exposes More Than 1 Million Records Online

A recent cybersecurity breach has left over 1.1 million records from Forces Penpals, a...

Endace Opens Middle East Regional Headquarters in Saudi Arabia

Endace, the global leader in packet capture technology, has recently announced the establishment of...

AI red teaming: An introduction

AI red teaming, also known as automated red teaming, is a technique used by...

Linux Malware WolfsBane and FireWood Tied to Gelsemium APT

Recent discoveries in the cybersecurity realm have uncovered two new malware strains, WolfsBane and...

More like this

US-UK Armed Forces Dating Service Exposes More Than 1 Million Records Online

A recent cybersecurity breach has left over 1.1 million records from Forces Penpals, a...

Endace Opens Middle East Regional Headquarters in Saudi Arabia

Endace, the global leader in packet capture technology, has recently announced the establishment of...

AI red teaming: An introduction

AI red teaming, also known as automated red teaming, is a technique used by...