Phishing, Malware, Threat Intelligence

Novel phishing campaign targets Windows systems with malicious Linux VMs

Credit: Adobe Stock Images

BleepingComputer reports that Windows systems have been compromised with backdoor-laced Linux virtual machines facilitating covert network access as part of the new CRON#TRAP phishing campaign.

Attacks commence with the delivery of phishing emails purporting to be a "OneAmerica survey" with a ZIP archive containing a Windows shortcut file and a primary executable resulting in the deployment of a custom Tiny Core QEMU Linux virtual machine dubbed 'PivotBox' that contains the backdoor, according to an analysis from Securonix. Aside from using a pre-configured Chisel network tunneling program for command-and-control communications, the QEMU Linux VM also facilitates the execution of commands enabling network and payload management, surveillance, and data theft, said researchers. Such findings — which come months after QEMU was reported by Kaspersky researchers to have been exploited to establish virtual network interfaces — should prompt organizations to track 'qemu.exe' process execution and prohibit QEMU and other virtualization programs, researchers added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds