New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus

Avatar
Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. The “intriguing” campaign, codenamed CRON#TRAP, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email. “What makes the CRON#

Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts.

The “intriguing” campaign, codenamed CRON#TRAP, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email.

“What makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled command-and-control (C2) server,” Securonix researchers Den Iuzvyk and Tim Peck said in an analysis.

“This setup allows the attacker to maintain a stealthy presence on the victim’s machine, staging further malicious activity within a concealed environment, making detection challenging for traditional antivirus solutions.”

The phishing messages purport to be an “OneAmerica survey” that comes with a large 285MB ZIP archive that, when opened, triggers the infection process.

As part of the as-yet-unattributed attack campaign, the LNK file serves as a conduit to extract and initiate a lightweight, custom Linux environment emulated through Quick Emulator (QEMU), a legitimate, open-source virtualization tool. The virtual machine runs on Tiny Core Linux.

The shortcut subsequently launches PowerShell commands responsible for re-extracting the ZIP file and executing a hidden “start.bat” script, which, in turn, displays a fake error message to the victim to give them the impression that the survey link is no longer working.

But in the background, it sets up the QEMU virtual Linux environment referred to as PivotBox, which comes preloaded with the Chisel tunneling utility, granting remote access to the host immediately following the startup of the QEMU instance.

“The binary appears to be a pre-configured Chisel client designed to connect to a remote Command and Control (C2) server at 18.208.230[.]174 via websockets,” the researchers said. “The attackers’ approach effectively transforms this Chisel client into a full backdoor, enabling remote command and control traffic to flow in and out of the Linux environment.”

The development is one of the many constantly evolving tactics that threat actors are using to target organizations and conceal malicious activity — case in point is a spear-phishing campaign that has been observed targeting electronic manufacturing, engineering, and industrial companies in European countries to deliver the evasive GuLoader malware.

“The emails typically include order inquiries and contain an archive file attachment,” Cado Security researcher Tara Gould said. “The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order.”

The activity, which has mainly targeted countries like Romania, Poland, Germany, and Kazakhstan, starts with a batch file present within the archive file. The batch file embeds an obfuscated PowerShell script that subsequently downloads another PowerShell script from a remote server.

The secondary PowerShell script includes functionality to allocate memory and ultimately execute the GuLoader shellcode to ultimately fetch the next-stage payload.

“Guloader malware continues to adapt its techniques to evade detection to deliver RATs,” Gould said. “Threat actors are continually targeting specific industries in certain countries. Its resilience highlights the need for proactive security measures.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability

Next Post

Texas-based oilfield supplier faces disruptions following ransomware attack

Related Posts

CISA Mandates Cloud Security for Federal Agencies by 2025 Under Binding Directive 25-01

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, ordering federal civilian agencies to secure their cloud environments and abide by Secure Cloud Business Applications (SCuBA) secure configuration baselines. "Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls,
Avatar
Read More

Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering

The threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics, distributing a different set of payloads such as Zbot and DarkGate since early October 2024. "Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously," Rapid7
Avatar
Read More