Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
There may be a full-fledged OS hidden inside your computer that steals your identity.
Securonix specialists have discovered an unusual cyberattack called CRON#TRAP. Hackers use a malicious shortcut that, once launched, runs a hidden customized version of Linux using the QEMU program. This mechanism allows attackers to be invisibly present on the victim's computer and control it, bypassing security programs.
QEMU is a legitimate virtualization tool, so its presence is usually not suspicious. In the attack, the attackers configured QEMU to run a small version of Linux – Tiny Core Linux with a built-in backdoor. The program automatically communicates with the C2 server, giving hackers permanent access to control the system.
Researchers believe that the infection began with a phishing email. The email contained a 285MB "OneAmerica Survey.zip" file with a shortcut and a directory with QEMU. The user, having unpacked the archive, sees only a shortcut, which, when launched, starts a chain of actions: first it shows an error message, and then launches QEMU disguised as a file called «fontdiag.exe". In a hidden Linux environment, hackers can interact with the main system using special commands, for example, to obtain user data.
In addition, in the PivotBox virtual system, the attackers installed programs that help monitor the network, download files, and save changes. One of the key tools is the "crondx" file, which is a modified version of Chisel. The tool allows you to secretly transmit data through firewalls, creating a permanent encrypted connection to the hackers' server.
Such a hacking method requires high skills and the use of legitimate tools, which complicates detection. Securonix advises avoiding downloading files from unknown sources, especially archives sent by e-mail. You should also check system folders for suspicious files and enable logging to monitor PowerShell activity to detect attackers trying to break into the system in a timely manner.
Source
Securonix specialists have discovered an unusual cyberattack called CRON#TRAP. Hackers use a malicious shortcut that, once launched, runs a hidden customized version of Linux using the QEMU program. This mechanism allows attackers to be invisibly present on the victim's computer and control it, bypassing security programs.
QEMU is a legitimate virtualization tool, so its presence is usually not suspicious. In the attack, the attackers configured QEMU to run a small version of Linux – Tiny Core Linux with a built-in backdoor. The program automatically communicates with the C2 server, giving hackers permanent access to control the system.
Researchers believe that the infection began with a phishing email. The email contained a 285MB "OneAmerica Survey.zip" file with a shortcut and a directory with QEMU. The user, having unpacked the archive, sees only a shortcut, which, when launched, starts a chain of actions: first it shows an error message, and then launches QEMU disguised as a file called «fontdiag.exe". In a hidden Linux environment, hackers can interact with the main system using special commands, for example, to obtain user data.
In addition, in the PivotBox virtual system, the attackers installed programs that help monitor the network, download files, and save changes. One of the key tools is the "crondx" file, which is a modified version of Chisel. The tool allows you to secretly transmit data through firewalls, creating a permanent encrypted connection to the hackers' server.
Such a hacking method requires high skills and the use of legitimate tools, which complicates detection. Securonix advises avoiding downloading files from unknown sources, especially archives sent by e-mail. You should also check system folders for suspicious files and enable logging to monitor PowerShell activity to detect attackers trying to break into the system in a timely manner.
Source
