Attacker Hides Malicious Activity in Emulated Linux Environment

Among the many constantly evolving tactics that threat actors are using to target organizations is a new one involving emulated Linux environments to stage malware and conceal malicious activity.

Researchers at Securonix spotted an attacker using the novel approach to maintain a stealthy presence on target systems and harvest data from them undetected by conventional antivirus and malware detection systems.

Novel Technique

So far, the security vendor has not been able to identify the adversary or determine whom they might be targeting. But available evidence — including the campaign's verbiage and the fact that the command-and-control (C2) server is based in the US — suggest that organizations in North America are the primary focus, Securonix theorized in a report this week.

"While not all evidence points one way or the other, the technical sophistication and customization observed make it more likely that [the campaign] was crafted with specific targets or sectors in mind within North America and Europe," says Tim Peck, senior threat researcher at Securonix.

CRON#TRAP, as Securonix is tracking the campaign, is notable for the attacker's use of a custom emulated QEMU Linux environment to persist on endpoints and execute a variety of malicious activity on them. QEMU — for Quick EMUlater — is an open source, cross-platform virtualization tool that allows organizations to emulate systems based on x86, PowerPC, ARM, and other processor technologies. One of its primary use cases is to emulate hardware platforms for software testing across Linux, Windows, macOS, and other operating system environments.

"In the case of the CRON#TRAP campaign, the attackers opted to emulate a Linux installation of Tiny Core Linux," Securonix said in its blog. "As far as we can determine, this is the first time that this tool has been used by attackers for malicious purposes outside of cryptomining." Tiny Core Linux is a modular, lightweight Linux distribution with a footprint small enough for use in resource-constrained environments.

The attacks that Securonix observed as part of the CRON#TRAP campaign began with a phishing email containing a link to an unusually large zip file with a survey-themed name.

The zip file contained a similarly themed shortcut file, which, when clicked on, once again extracted the contents of the zip file and initiated a sequence of steps that ended with the QEMU virtual box getting deployed on the victim machine. Securonix found the emulated Linux instance to contain a preconfigured backdoor that during startup automatically connected the victim systems to a hardcoded C2 server in the US. The attackers implemented the backdoor using Chisel, a legitimate tool for creating secure, encrypted tunnels for transferring data, typically over WebSockets.

The security vendor's analysis of the QEMU image showed the attackers named it PivotBox. It contained a detailed history of the commands the threat actor had executed undetected within the emulated Linux environment. Among them were commands for network testing and initial reconnaissance, user enumeration, tool installation and preparation, SSH key manipulation, payload manipulation and execution, file and environment management, data exfiltration, privilege escalation, and persistence.

Clearly Motivated Attacker

"The commands executed by the threat actor reveal a clear intention to establish persistence, maintain covert access," Peck says. "They were highly focused on establishing a stable, reliable, and stealthy point of access within the target's network." The use of SSH key generation and subsequent uploads of the public key to a file-sharing service highlight an effort to ensure persistent remote access even after reboots, he notes.

The use of emulated Linux environment for malicious activity is the latest example of how attackers constantly find new ways and new techniques to bypass security mechanisms. As with any malicious campaign, the best protection against attacks like CRON#TRAP is to nip them in the bud, which in this case would be training users not to act on phishing emails, Peck says. For instance, the zip file associated with the campaign weighs in at a massive 285MB, which alone should be cause for suspicion.

Beyond that, measures such as application whitelisting and endpoint monitoring can also help organizations detect such campaigns. "As QEMU was executed through unconventional methods, this does present us with interesting detection opportunities," Peck says. One example is detecting the execution of QEMU outside the default Program Files directory. "Monitoring for network-based indicators such as persistent SSH connections from unexpected endpoints could also aid in detecting this campaign."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!