BleepingComputer reports that Windows systems have been compromised with backdoor-laced Linux virtual machines facilitating covert network access as part of the new CRON#TRAP phishing campaign.
Attacks commence with the delivery of phishing emails purporting to be a "OneAmerica survey" with a ZIP archive containing a Windows shortcut file and a primary executable resulting in the deployment of a custom Tiny Core QEMU Linux virtual machine dubbed 'PivotBox' that contains the backdoor, according to an analysis from Securonix. Aside from using a pre-configured Chisel network tunneling program for command-and-control communications, the QEMU Linux VM also facilitates the execution of commands enabling network and payload management, surveillance, and data theft, said researchers. Such findings — which come months after QEMU was reported by Kaspersky researchers to have been exploited to establish virtual network interfaces — should prompt organizations to track 'qemu.exe' process execution and prohibit QEMU and other virtualization programs, researchers added.