Attacker Hides Malicious Activity in Emulated Linux Environment

  /     /     /  
Publicated : 23/11/2024   Category : security


Attacker Hides Malicious Activity in Emulated Linux Environment


The CRON#TRAP campaign involves a novel technique for executing malicious commands on a compromised system.



Among the many constantly evolving tactics that threat actors are using to target organizations is a new one involving emulated Linux environments to stage malware and conceal malicious activity.
Researchers at Securonix spotted an attacker using the novel approach to maintain a stealthy presence on target systems and harvest data from them undetected by conventional antivirus and malware detection systems.
So far, the security vendor has not been able to identify the adversary or determine whom they might be targeting. But available evidence — including the campaigns verbiage and the fact that the command-and-control (C2) server is based in the US — suggest that organizations in North America are the primary focus, Securonix theorized in a
report this week
.
While not all evidence points one way or the other, the technical sophistication and customization observed make it more likely that [the campaign] was crafted with specific targets or sectors in mind within North America and Europe, says Tim Peck, senior threat researcher at Securonix.
CRON#TRAP, as Securonix is tracking the campaign, is notable for the attackers use of a custom emulated QEMU Linux environment to persist on endpoints and execute a variety of malicious activity on them.
QEMU
— for Quick EMUlater — is an open source, cross-platform virtualization tool that allows organizations to emulate systems based on x86, PowerPC, ARM, and other processor technologies. One of its primary use cases is to emulate hardware platforms for software testing across Linux, Windows, macOS, and other operating system environments.
In the case of the CRON#TRAP campaign, the attackers opted to emulate a Linux installation of Tiny Core Linux, Securonix said in its blog. As far as we can determine, this is the first time that this tool has been used by attackers for malicious purposes outside of cryptomining.
Tiny Core Linux
is a modular, lightweight Linux distribution with a footprint small enough for use in resource-constrained environments.
The attacks that Securonix observed as part of the CRON#TRAP campaign began with a phishing email containing a link to an unusually large zip file with a survey-themed name.
The zip file contained a similarly themed shortcut file, which, when clicked on, once again extracted the contents of the zip file and initiated a sequence of steps that ended with the QEMU virtual box getting deployed on the victim machine. Securonix found the emulated Linux instance to contain a preconfigured backdoor that during startup automatically connected the victim systems to a hardcoded C2 server in the US. The attackers implemented the backdoor using
Chisel
, a legitimate tool for creating secure, encrypted tunnels for transferring data, typically over WebSockets.
The security vendors analysis of the QEMU image showed the attackers named it PivotBox. It contained a detailed history of the commands the threat actor had executed undetected within the emulated Linux environment. Among them were commands for network testing and initial reconnaissance, user enumeration, tool installation and preparation, SSH key manipulation, payload manipulation and execution, file and environment management, data exfiltration, privilege escalation, and persistence.
The commands executed by the threat actor reveal a clear intention to establish persistence, maintain covert access, Peck says. They were highly focused on establishing a stable, reliable, and stealthy point of access within the targets network. The use of SSH key generation and subsequent uploads of the public key to a file-sharing service highlight an effort to ensure persistent remote access even after reboots, he notes.
The use of emulated Linux environment for malicious activity is the latest example of how attackers constantly find new ways and
new techniques
to
bypass security mechanisms
. As with any malicious campaign, the best protection against attacks like CRON#TRAP is to nip them in the bud, which in this case would be training users not to act on phishing emails, Peck says. For instance, the zip file associated with the campaign weighs in at a massive 285MB, which alone should be cause for suspicion.
Beyond that, measures such as application whitelisting and endpoint monitoring can also help organizations detect such campaigns. As QEMU was executed through unconventional methods, this does present us with interesting detection opportunities, Peck says. One example is detecting the execution of QEMU outside the default Program Files directory. Monitoring for network-based indicators such as persistent SSH connections from unexpected endpoints could also aid in detecting this campaign.
Dont miss the latest 
Dark Reading Confidential podcast
,
where we talk about NISTs post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. 
Listen now!
 

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attacker Hides Malicious Activity in Emulated Linux Environment