- A phishing attack leads to the download of a large file
- The Linux VM comes pre-loaded with malware, giving scammers all kinds of advantages
- Securonix advises you to exercise caution when forwarding incoming emails
A creative new phishing technique has been discovered that appears to trick victims into downloading and installing a Linux virtual machine on their Windows endpoints. The virtual machine comes preloaded with a back doorgiving the crooks unabated access to the compromised devices.
A report from cybersecurity researchers Securonix called the campaign “CRON#TRAP.” It starts with a fake ‘OneAmerica’ survey that distributes the VM installation file (285 MB), and a fake error pop-up image.
If victims fall for the trick and activate the installer, it will run in the background while the fake error message is displayed in the foreground. This way, the victims will think that the survey was not available at that time. However, in the background, a fully legitimate version of a Linux VM, called TinyCore, will be installed via QEMU, a legitimate, open-source virtualization tool that allows emulating various hardware and processor architectures.
Cheating the AV
Since QEMU is legitimate, no antivirus program marks it as malicious. Furthermore, they won’t mark anything happening in the virtual machine as it is walled and acts as a sandbox. “This emulated Linux environment allows the attacker to operate outside the visibility of traditional antivirus solutions,” the researchers explain.
However, because the VM comes with a backdoor, crooks can use it for a number of things, including network testing and initial reconnaissance, tool installation and preparation, payload manipulation and execution, configuration persistence and privilege escalation, SSH manipulation remote access keys, file and environment management, system and user enumeration, and potential exfiltration or command control channels.
The backdoor would contain a tool called Chisel, a network tunneling program pre-configured to establish a secure communication channel with the C2 server.
Because the campaign starts with a simple phishing email, Securonix advises caution when handling incoming emails.
Via BleepingComputer