patheur

Dangerous new phishing campaign infects Windows devices with malicious Linux virtual machine

Sakege November 5, 2024

Phishing attack causes large file download
Linux virtual machine comes preloaded with malware, giving criminals all kinds of advantages
Securonix recommends caution when delivering incoming emails

A new and creative phishing technique has been detected that seeks to trick victims into downloading and installing a Linux virtual machine on their Windows terminals. The virtual machine comes preloaded with a Back doorgiving criminals unlimited access to compromised devices.

A report by cybersecurity researchers Securonix dubbed the campaign ‘CRON#TRAP’. It starts with a fake “OneAmerica” survey that distributes the VM installation file (285 MB) and a fake error pop-up image.

If victims fall for the trick and activate the installer, it will run in the background and display a fake error message in the front. That way, victims will think that the survey was not available at that time. However, in the background, a completely legitimate version of a Linux virtual machine, called TinyCore, will be installed via QEMU, a legitimate open source virtualization tool that allows emulation of various hardware and processor architectures.

Cheating the AV

Since QEMU is legitimate, no antivirus program flags it as malicious. Additionally, they will not mark anything that happens on the virtual machine, since it is walled off and functions as a sandbox. “This emulated Linux environment allows the attacker to operate outside the visibility of traditional antivirus solutions,” the researchers explained.

However, since the VM comes with a backdoor, criminals can use it for several things, including network testing and initial reconnaissance, installing and preparing tools, manipulating and executing payloads, configuration persistence, and privilege escalation. , manipulation of SSH keys for remote access. file and environment management, system and user enumeration, and possible command control or exfiltration channels.

The backdoor was said to contain a tool called Chisel, which is a network tunneling program, pre-configured to set up a secure communications channel with the C2 server.

Since the campaign starts with a simple phishing email, Securonix recommends being careful when handling incoming emails.

Through beepcomputer

Ourladyoftheassumptionparish

Ourladyoftheassumptionparish

Dangerous new phishing campaign infects Windows devices with malicious Linux virtual machine

Sakege

“Bad timing” for a completely new Council of Ministers

The dummies in the Silent Hill 2 remake terrified me despite their skillful combat

Erik ten Hag ‘lacked natural authority to be Manchester United manager’ – Henry Winter

Charlotte City Council approves $4.2 million transportation grant for technology improvements

Dangerous new phishing campaign infects Windows devices with malicious Linux virtual machine

Sakege

You Might Also Like

“Bad timing” for a completely new Council of Ministers

The dummies in the Silent Hill 2 remake terrified me despite their skillful combat

Erik ten Hag ‘lacked natural authority to be Manchester United manager’ – Henry Winter

Charlotte City Council approves $4.2 million transportation grant for technology improvements