A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to c

Windows infected with backdoored Linux VMs in new phishing attacks

submited by
Style Pass
2024-11-05 05:30:04

A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks.

Using virtual machines to conduct attacks is nothing new, with ransomware gangs and cryptominers using them to stealthily perform malicious activity. However, threat actors commonly install these manually after they breach a network.

A new campaign spotted by Securonix researchers is instead using phishing emails to perform unattended installs of Linux virtual machines to breach and gain persistence on corporate networks.

The phishing emails pretend to be a "OneAmerica survey" that includes a large 285MB ZIP archive to install a Linux VM with a pre-installed backdoor.

This ZIP file contains a Windows shortcut named "OneAmerica Survey.lnk" and a "data" folder that contains the QEMU virtual machine application, with the main executable disguised as fontdiag.exe.

When the shortcut is launched, it executes a PowerShell command to extract the downloaded archive to the "%UserProfile%\datax" folder and then launch the "start.bat" to set up and launch a custom QEMU Linux virtual machine on the device.

Leave a Comment