A Newly Discovered CRON#TRAP Malware Infects Windows Machines by Concealing Itself in a Linux Virtual Machine to Bypass Antivirus Detection
Cybersecurity experts have identified a fresh malware tactic targeting Windows machines, where it leverages a Linux virtual environment to implant a hidden backdoor enabling remote control over the compromised systems.
The campaign, known as CRON#TRAP, kicks off with a malicious Windows LNK file distributed via a phishing email, likely concealed in a ZIP archive.
“What sets the CRON#TRAP operation apart is the presence of a pre-configured backdoor in the emulated Linux environment, establishing automatic connections with a command-and-control (C2) server under the attacker’s control,” shared analysis by Securonix researchers Den Iuzvyk and Tim Peck revealed.
“By setting up the Linux environment with the backdoor, attackers can surreptitiously maintain control over the victim’s system, hiding further malicious actions within an obscured setup, posing a challenge for conventional antivirus solutions to detect,” the researchers added.
The phishing emails masquerade as an “OneAmerica survey” and come with a large 285MB ZIP archive that, upon opening, initiates the infection process.
As part of the unattributed attack strategy, the LNK file acts as a medium to extract and trigger a customized Linux environment simulated using Quick Emulator (QEMU), an authentic open-source virtualization utility. The virtual machine runs on Tiny Core Linux.
Subsequently, the shortcut triggers PowerShell commands to extract the content of the ZIP file and run a hidden “start.bat” script, presenting a fake error message to the victim to mislead them into believing that the survey link is no longer accessible.
Meanwhile, the QEMU-based virtual Linux environment dubbed PivotBox is set up in the background, pre-equipped with the Chisel tunneling utility, granting immediate remote access to the host as soon as the QEMU instance is operational.
“The binary seems to be a pre-configured Chisel client tailor-made to connect to a remote Command-and-Control (C2) server at 18.208.230[.]174 using websockets,” stated the researchers. “This method effectively transforms the Chisel client into a complete backdoor, enabling undetectable remote control traffic to flow in and out of the Linux environment.”
This development represents one of various constantly evolving techniques deployed by threat actors to undermine organizations and mask malicious behavior. For example, a spear-phishing campaign has been observed targeting electronic manufacturing, engineering, and industrial firms in European nations to distribute the elusive GuLoader malware.
“The emails claim to be ‘OneAmerica survey’ with a large ZIP attachment, aiming to trick the victim into executing the attack,” mentioned Cado Security researcher Tara Gould noted. “The emails often seem to originate from forged companies or compromised accounts, crafting a sense of legitimacy and enticement for the victim to engage.”
This operation, primarily aimed at countries like Romania, Poland, Germany, and Kazakhstan, begins with a batch file inside the archived file. The batch file conceals an encoded PowerShell script which subsequently fetches another PowerShell script from a remote server.
The secondary PowerShell script features capabilities to reserve memory and eventually execute GuLoader shellcode to grab the succeeding-stage payload.
“The evolving tactics employed by the Guloader malware to dodge detection and deliver RATs remain a significant concern. Threat actors are persistently focusing on particular sectors in specific regions, underscoring the importance of adopting proactive security measures,” Gould concluded.
About Author
