Photo credit: www.darkreading.com
In a significant evolution of cyber tactics, threat actors have recently started using emulated Linux environments as a new method to deploy malware and mask their illicit activities. This strategy allows them to stealthily infiltrate target systems while bypassing traditional antivirus and malware detection mechanisms.
Research from Securonix has uncovered this innovative approach being utilized by attackers to maintain a covert presence on compromised systems and gather sensitive information without being detected. While the exact identity of the adversaries remains unknown, Securonix suggests that clues from the campaign’s language and the location of its command-and-control (C2) server—situated in the United States—indicate that organizations primarily in North America may be at risk, as detailed in a recent report.
New Method of Operation
While the specific targets of this campaign have not been conclusively determined, Tim Peck, a senior threat researcher at Securonix, commented, “There is a technical sophistication and degree of customization that suggests this campaign was likely tailored for specific organizations or sectors, with a focus on North America and Europe.”
Named CRON#TRAP by Securonix, this campaign stands out particularly due to the attackers’ use of a customized emulated QEMU Linux environment, facilitating their ability to persist on endpoints and perform various malicious operations. QEMU, an open-source virtualization tool, emulates different hardware platforms, enabling the testing of software across assorted operating systems including Linux, Windows, and macOS.
According to Securonix’s blog, the attackers opted to use a lightweight version of Linux known as Tiny Core Linux for their emulation. This marks a potentially unprecedented use of QEMU for malicious objectives beyond its traditional applications, such as cryptomining. Tiny Core Linux is especially notable due to its minimal resource requirements, ideal for constrained environments.
The initial step in the CRON#TRAP attack was initiated via a phishing email containing a link to a large zip file, which had a survey-related title. Within this zip file was a shortcut file that, when opened, triggered the extraction of the zip contents and the deployment of the QEMU virtual environment on the victim’s machine.
The analysis revealed that the emulated Linux instance included a preconfigured backdoor that automatically connected the compromised system to a hardcoded C2 server in the United States upon startup. The attackers employed Chisel, a legitimate tool designed for secure data transfers, to facilitate this connection.
Further investigation into the QEMU image used by the attackers revealed the name “PivotBox,” which contained meticulous logs of executed commands undetected in the emulated environment. These commands included tasks for network assessment, user identification, tool installation, SSH manipulation, payload execution, file management, data exfiltration, and persistence tactics.
Intent and Strategy
Peck remarked on the focus of the threat actor, stating, “The commands executed reveal a clear intention to establish persistence and maintain hidden access. Their actions demonstrate a meticulous approach to ensuring stable and inconspicuous entry points within the target network.” The generation of SSH keys and their subsequent upload to file-sharing services indicate a concerted effort to retain remote access, even post-reboot.
The use of an emulated Linux environment for malicious aims exemplifies the innovative tactics that attackers employ to circumvent security systems. To effectively counter such threats like CRON#TRAP, proactive measures are essential. Training users to recognize and refrain from engaging with phishing emails is crucial; for instance, the suspicious size of the 285MB zip file linked to this campaign should raise alarms.
In addition to user education, organizations can adopt strategies like application whitelisting and rigorous endpoint monitoring to enhance their defenses. Peck notes, “The unconventional execution of QEMU provides us with unique detection opportunities. For instance, flagging QEMU operations occurring outside typical directories could be valuable, as could monitoring for unusual persistent SSH connections from unexpected sources.”
Source
www.darkreading.com