Analysis Summary

A new malware campaign that infects Windows computers with a Linux virtual instance that has a backdoor allowing remote access to the affected hosts has been discovered by cybersecurity researchers.

The campaign, codenamed CRON#TRAP, begins with a malicious Windows shortcut (LNK) file that is probably sent via phishing email as a ZIP file. Because the simulated Linux instance is pre-configured with a backdoor that instantly connects to an attacker-controlled command-and-control (C2) server, the CRON#TRAP campaign is very worrisome.

“This setup allows the attacker to maintain a stealthy presence on the victim's machine, staging further malicious activity within a concealed environment, making detection challenging for traditional antivirus solutions,” said the researchers

The phishing emails pose as a "OneAmerica survey" and include a sizable 285MB ZIP file that, when opened, starts the infection process. Using Quick Emulator (QEMU), a genuine, open-source virtualization application, the LNK file acts as a conduit to extract and launch a lightweight, customized Linux environment as part of the as-yet-unattributed attack campaign. Linux Tiny Core is used to run the virtual machine.

The shortcut then initiates PowerShell commands that re-extract the ZIP file and run a hidden "start.bat" script, which presents the victim with a fictitious error message to make it appear as though the survey link is broken. However, in the background, it installs the QEMU virtual Linux environment known as PivotBox, which has the Chisel tunneling tool preinstalled and allows remote access to the host as soon as the QEMU instance is started.

The binary looks to be a pre-configured Chisel client that uses websockets to establish a connection to a remote command-and-control (C2) server. By using this method, the attackers successfully turn this Chisel client into a complete backdoor, allowing remote command-and-control traffic to enter and exit the Linux system. The development is just one of many ever-changing strategies that threat actors employ to target organizations and hide malicious activity.

Impact

• Unauthorized Access
• Command Execution
• Security Bypass

Indicators of Compromise

MD5

• 48e724267c0ee221374ef1f2a75b2ea0
• f5008036fce8b2846b800fc98c72f503
• 581683ba2214271545456e870a09015d
• aafa9962dff918200496bf43fdf91101
• 6bda1bf74b65c81b0d685cec79715079
• 8764158da1985748ecce453c97ec4d24
• 7341cbac6caa49d7160676a1abf5acbf
• 7d46699f5319039c18f70e43f829eb02

SHA-256

• ce26aac9ba7be60bfb998ba6add6b34da5a68506e9fea9844dc44bafe3cab676
• 0618bb997462f350bc4402c1a5656b38bedc278455823ac249fd5119868d3df4
• 002f9cd9ffa4b81301d003acd9fb3fbba1262e593b4f2e56a085b62a50e76510
• bc7a34379602f9f061bdb94ec65e8e46da0257d511022a17d2555adbd4b1dd38
• 3e6a47da0a226a4c98fb53a06ec1894b4bfd15e73d0cea856b7d2a001cada7e9
• 9a33ea831edf83cb8775311963f52299f1488a89651bd3471cc8f1c70f08a36c
• 82a9747485fdd60360d28cd73671f171a8312b7d68b26fe1e2d472eb97c4fe59
• f4229128ef642d299f7ab5fbcb6de75a17d12f30f22a3985044c8b1b44f1768f

SHA1

• 975f31410b9aa42f6ce90bd016bef186d88b4b26
• a1193516a5b55b5e44b9caf5801858d9741c2ec3
• 9f2ac0574abd7e5ea9c29fddef948bf6e0967e26
• bfb8e745fd17dd2a72453f311b7697f11ab87025
• 888d9beb279870a3b639213e49585e50bdc1426a
• 70d151b6d580ad416f265b2fd546ab94c0ecd4ff
• ac01ed52d2050c845a2fe688f9760b1b6ddf0bf5
• ab1b10c8b089f5c0745f8ae634da4991fbd923dc

URL

• http://github.com/yaniraenrica/testing/raw/main/resolvd.zip
• http://github.com/rustyshackleford72/testing/raw/main/cheezel-client
• http://github.com/gregtunny/data/raw/refs/heads/main/ch.zip
• http://forum.hestiacp.com/uploads/default/original/2X/9/9aae76309a614c85f880512d8fe7df158fec52cc.png

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.