Latest CRON#TRAP Malware Strikes Windows by Concealing in Linux VM to Elude Antivirus Software
Cybersecurity analysts have highlighted a fresh malicious software operation that compromises Windows systems by utilizing a Linux virtual machine containing a backdoor that allows for remote entry to the hijacked computers.
The campaign, known as CRON#TRAP, begins with a harmful Windows shortcut (LNK) file that is possibly disseminated through a phishing email in the guise of a ZIP archive.
“Of particular interest in the CRON#TRAP initiative is the fact that the emulated Linux environment arrives pre-equipped with a backdoor that automatically links up to a hacker-managed command-and-control (C2) server,” outlined Securonix researchers Den Iuzvyk and Tim Peck in an examination.
“This configuration enables the assailant to uphold a covert footprint on the victim’s device, enabling further malicious operations within a hidden space, thereby complicating detection for conventional antivirus solutions.”
The scam emails masquerade as an “OneAmerica survey” that is accompanied by a large 285MB ZIP file, which triggers the infection process when opened.
As a part of the undisclosed assault scheme, the LNK file acts as a conduit to extract and kick off a lightweight, bespoke Linux environment emulated via Quick Emulator (QEMU), an authentic, open-source virtualization tool. The virtual machine is powered by Tiny Core Linux.
The shortcut then initiates PowerShell commands that have the task of re-extracting the ZIP file and executing a concealed “start.bat” script, which, in return, shows a fake error message to the victim to suggest that the survey link is inactive.
However, behind the scenes, it configures the QEMU virtual Linux platform, named PivotBox, which comes pre-loaded with the Chisel tunneling utility, granting immediate remote access to the host as soon as the QEMU instance launches.
“The binary appears to be a pre-set Chisel client intended to link up with a remote Command and Control (C2) server at 18.208.230[.]174 through websockets,” detailed the researchers. “The attackers’ method successfully turns this Chisel client into a comprehensive backdoor, facilitating bi-directional remote control traffic flow in and out of the Linux environment.”
This advancement is one of the numerous constantly adapting strategies that malicious parties are employing to target entities and mask malevolent pursuits — as evidenced by a spear-phishing initiative directed at electronic manufacturing, engineering, and industrial corporations in European nations to deploy the elusive GuLoader malware.
“The electronic mails typically include order inquiries and feature an archive file attachment,” relayed Cado Security researcher Tara Gould remarked. “The emails are dispatched from multiple email addresses including fictitious firms and exploited accounts. The emails usually take over an existing email chain or ask for information regarding an order.”
The assault, majorly targeting nations like Romania, Poland, Germany, and Kazakhstan, commences with a batch file contained within the archive file. The batch file incorporates a coded PowerShell script that proceeds to download another PowerShell script from a distant server.
The secondary PowerShell script boasts routines to allot memory and eventually run the GuLoader shellcode to retrieve the succeeding stage payload.
“Guloader malware is persistently altering its tactics to dodge detection and deliver Remote Access Trojans,” alerted Gould. “Threat actors are persistently concentrating on specific sectors in particular countries. Its resilience underscores the necessity for proactive security precautions.”
About Author
