CRON#TRAP phishing campaign
Threat update
A new phishing campaign, identified as CRON#TRAP, are targeting Windows systems with a preloaded Linux virtual machine (VM) to evade detection to conduct malicious acts. Continue reading this Cybersecurity Threat Advisory to learn how to protect against this phishing campaign.
Technical Detail and Additional Info
What is the threat?
CRON#TRAP targets Windows users with phishing emails that contains a malicious ZIP file disguised as a survey attachment. The ZIP file contains a Windows shortcut and a data folder with the QEMU virtual machine emulator, camouflaged as "fontdiag.exe." When executed, the shortcut launches a PowerShell script that sets up a QEMU Linux VM, named PivotBox, which includes a backdoor pre-configured for command-and-control (C2) communication. The VM's backdoor uses Chisel, a tunneling tool that establishes communication with a C2 server via WebSockets over HTTP and SSH, enabling the attackers to issue commands and extract data. The use of QEMU, a legitimate signed application, allows the attack to evade detection by security tools, as activities within the VM are hidden from the host's defenses.
Why is it noteworthy?
CRON#TRAP stands out as an innovative phishing attack that deploys a fully functional Linux environment on Windows without detection. By leveraging QEMU, attackers can maintain persistent, covert access to compromised systems, effectively bypassing traditional antivirus and endpoint detection. The attack's use of virtual machines for backdoor access also showcases a shift in attacker techniques towards virtualization as a method to evade security controls. This approach is notable for its adaptability and potential to perform extensive network reconnaissance and data exfiltration from within a VM environment.
What is the exposure or risk?
The CRON#TRAP campaign poses a significant risk to organizations. It enables attackers to gain and maintain long-term, hidden access to networks. As the attack leverages a Linux VM, traditional Windows-based security tools are limited in their ability to detect malicious actions within the virtual environment. With access to commands like get-host-shell and get-host-user, attackers can issue privileged commands, control file management, conduct network reconnaissance, and exfiltrate sensitive data. The use of the Chisel tunneling tool further complicates detection by allowing covert communications that can evade network-level defenses. For organizations without defenses against virtualization abuse, CRON#TRAP presents a high risk of persistent data compromise and unauthorized access.
What are the recommendations?
LBT Technology Group strongly recommends organizations take these additional steps to reduce the risk of exploitation and protect their critical infrastructure from this and similar threats.
- Set up detection rules for unusual processes like "qemu.exe" originating from user-accessible folders, as these may signal unauthorized VM deployments.
- Block QEMU and other virtualization software on critical systems that do not require virtualization.
- Disable virtualization options in system BIOS on critical endpoints to prevent unauthorized VM installation.
- Use advanced email security solutions to block phishing emails containing suspicious attachments, especially large ZIP files.
- Educate employees about recognizing phishing emails and avoiding unsolicited survey attachments.
- Implement network and endpoint monitoring to detect unusual WebSocket, HTTP, or SSH traffic that may indicate C2 communications.
- Enforce policies restricting the use of PowerShell and other scripting languages, particularly for untrusted applications.
References
For more in-depth information about the recommendations, please visit the following links:
- https://lbttechgroup.com/index.php/blog/windows-infected-with-backdoored-linux-vms-in-new-phishing-attacks
If you have any questions, please contact LBT's Sales Engineer.
Comments