A recent cybersecurity campaign has caught the attention of Securonix researchers, who discovered a sophisticated attack involving weaponized Linux virtual machines targeting Windows systems. The campaign, dubbed CRON#TRAP, utilizes Linux environments to infiltrate Windows machines and execute malicious activities.
The attack begins with a phishing email containing a deceptive shortcut file disguised as “OneAmerica Survey.” Once executed, this file deploys a hidden 285MB package that installs QEMU (Quick Emulator), a virtualization tool, under the guise of “fontdiag.exe” to avoid detection.
The malicious actors behind the campaign create a concealed Linux environment called “PivotBox,” running Tiny Core Linux, with a predetermined backdoor that establishes a connection to a Command and Control (C2) server. Within this environment, custom commands such as “get-host-shell” and “get-host-user” enable interaction with the host system using SSH keys for persistent access.
Various tools like vim, openssh, and 7zip are employed to manipulate the system, ensuring persistence through modified scripts and backed-up configurations. The primary targets of the CRON#TRAP campaign are North America and Europe, posing a significant challenge for traditional antivirus solutions due to the hidden virtual environment operated by QEMU.
The attack strategy includes network testing capabilities, payload manipulation, and data exfiltration using free file-sharing services. This multi-stage approach highlights a meticulously planned operation designed for long-term stealth and system compromise.
The analysis of “crondx” (Chisel) reveals a critical backdoor mechanism embedded within the campaign, utilizing a 64-bit ELF executable to establish covert communication channels with a C2 server through websocket protocols. The customized implementation of the Golang-compiled binary enables remote access over encrypted channels, allowing threat actors to execute commands and exfiltrate data undetected.
By launching an emulated Linux environment via QEMU triggered by a phishing email, the attackers successfully evade traditional AV detection on Windows machines. The use of Chisel for legitimate tunneling over HTTP with SSH security enhances the malware’s stealth capabilities, allowing for persistent remote access.
Persistence mechanisms like modified startup scripts and SSH key implementations facilitate continued compromise of the system. The presence of custom command aliases within the isolated QEMU environment further allows for direct interaction with the host machine.
The investigation into the “.ash_history” file reveals a modular approach to system infiltration, documenting the threat actor’s activities, including tool installation, system reconnaissance, and payload deployment. By leveraging legitimate software tools to maintain access and evade security controls, the attackers demonstrate a sophisticated and well-planned operation.
To mitigate the risks associated with such attacks, cybersecurity experts recommend avoiding unsolicited file downloads, treating external links with caution, monitoring for suspicious activity in common malware staging directories, watching for legitimate software running from unusual locations, and enabling robust endpoint logging for improved detection.
Overall, the CRON#TRAP campaign underscores the need for heightened vigilance and proactive cybersecurity measures to defend against increasingly sophisticated cyber threats.