CRON#TRAP: Emulated Linux environment as backdoor after phishing attack

IT researchers from Securonix have discovered a new type of attack chain. The malware consists of an emulated Linux environment that the attackers install as a backdoor on compromised systems.

As the Securonix employees describe in a detailed analysis, the attackers use a QEMU Linux box to gain persistence on the endpoints they were able to break into. The attack itself is carried out using phishing emails designed to trick victims into downloading and executing the malware.

Starting point: malicious .lnk file

The analysis starts with a phishing campaign that distributes a malicious .lnk file. When executed, the file unpacks a lightweight, customized Linux environment running in a QEMU emulation. This comes with a preconfigured backdoor that connects to a command-and-control (C2) server controlled by the attackers. This allows the attackers to remain active on the victims' machines and carry out further malicious actions in the hidden environment –, making it much more difficult for antivirus software to detect them. In particular, as QEMU is frequently encountered in software development and research, its presence does not trigger a security alarm, Securonix explains.

The IT researchers go into more detail in their analysis. The focus is presumably on victims in the USA, as the phishing emails discovered contained a link to a ZIP file that indicated a survey. The ZIP file and the shortcut it contained were named "OneAmerica Survey.zip" and "OneAmerica Survey.lnk" respectively. At 285 MByte, the size of the ZIP file was unusually large for a phishing document. After unpacking the ZIP, a "data" directory with the complete QEMU installation directory and the "OneAmerica Survey" link remain. The .lnk file invokes Powershell and executes a simple command that extracts the ZIP file to a directory in the user directory and finally launches the "start.bat" file from this new subdirectory.

The batch file displays an image of a URL on the network that simulates a server error. Victims are supposed to believe that the survey is simply defective on the server side. The script also executes QEMU and the emulated Linux environment. The QEMU process was previously renamed to "fontdiag.exe". Starting with the "-nographic" switch ensures that QEMU runs inconspicuously in the background. Securonix goes on to describe how the attackers infiltrate the system, set up an SSH backdoor and access the host system. They also set up an SSH-protected HTTP tunnel to bypass firewalls.

The analysis also provides indicators of compromise (IOCs). One of Securonix's recommendations is to activate logging on the endpoints to enable the detection of powershell abuse, for example. This also includes additional logging at process level, as permitted by the Sysinternals tool Sysmon.

Cyber criminals often use phishing emails to target victims. At the beginning of September, for example, malicious actors sent many thousands of phishing emails which, after clicking on the links in them, resulted in the installation of a backdoor with the malware "Voldemort". IT researchers from Proofpoint discovered the wave, which the Federal Central Tax Office (BZSt) also warned about –, for example, because they wanted to create an official impression by faking the sender address 'poststelle@bzst.bund.de'.

(dmk)