A new phishing campaign named CRON#TRAP has been identified, targeting Windows systems by utilizing a Linux virtual machine equipped with a backdoor, allowing attackers to secretly access corporate networks.

This campaign represents a significant evolution in the methods employed in cyberattacks, particularly the exploitation of virtualization technology to conduct malicious activities.

The CRON#TRAP campaign used a more sophisticated phishing method compared to previous attacks, which often required manual intervention to install malware. The criminal group employed phishing emails designed to automatically install the Linux virtual machine on the victim’s computer without oversight.

The spoofed email claimed to be a “survey from OneAmerica” and included a 285MB ZIP file containing malicious scripts to infect the virtual machine. This ZIP file contained a Windows shortcut named “OneAmerica Survey.lnk” and a “data” folder housing the QEMU virtual machine application, with the main executable disguised as fontdiag.exe.

When the user clicked the shortcut, a PowerShell command was executed, extracting the archive and launching the customized QEMU Linux virtual machine. While the virtual machine was being installed, a script displayed a PNG file downloaded from a remote website, showing an error message to mislead the user. This process occurred without any alerts from the system, making it difficult for the victim to realize they had been deceived.

The virtual machine utilized in this campaign is a version of TinyCore Linux, referred to as ‘PivotBox.’ It comes pre-installed with a backdoor that enables the attacker to maintain continuous communication with a command and control (C2) server. This backdoor allows the attacker to operate covertly, evading detection by conventional security tools.

One of the primary tools used in this attack campaign is Chisel, a program that facilitates the creation of VPN tunnels, allowing the attacker to establish a secure connection to the C2 server via WebSockets.

To maintain persistence within the system, the QEMU environment is configured to automatically restart after the host reboots. This is achieved through modifications in the bootlocal.sh file. Concurrently, SSH keys are generated and uploaded to the server to eliminate the need for re-authentication.

The attacker can execute commands such as get-host-shell to create an interactive shell on the server, enabling the execution of commands undetected. The get-host-user command helps ascertain user access rights, facilitating the execution of malicious actions.

To detect and prevent these attacks, system administrators should implement stringent monitoring measures. Specifically, they should monitor processes such as qemu.exe executed from user-accessible directories.

It is also crucial to blacklist QEMU and other virtualization tools. Furthermore, disabling or blocking virtualization on critical devices from the BIOS will help mitigate the risk of such attacks. These measures can protect systems from increasingly sophisticated emerging threats.

Source: Bleeping Computer