Recent reports from Securonix (USA), as detailed by Bleeping Computer, have highlighted a concerning cyber attack campaign known as CRON#TRAP. This campaign targets various organizations through deceptive emails that impersonate legitimate surveys from insurance companies.
A key component of this attack involves a substantial ZIP file, approximately 285 MB in size, which contains a Linux virtual machine pre-loaded with harmful code. When a recipient unzips this file, a PowerShell command is triggered automatically, extracting the malicious data and integrating the virtual machine into the Windows system.
This Linux virtual machine operates using QEMU, a legitimate virtualization tool that typically does not raise security alarms. During the installation, an erroneous image is displayed to mislead the victim into thinking that the survey link failed, diverting their attention while the malicious actions take place within the virtual machine.
Within this environment, the malware utilizes a tool called Chisel. This tool facilitates secure communication via HTTP and SSH protocols with the hacker’s control server, allowing remote access to the targeted system without triggering firewall defenses. Hackers can execute commands like “get-host-shell” to access the system’s command line or “get-host-user” to ascertain user permissions, enabling them to conduct various malicious operations including data theft, monitoring, and the installation of additional harmful code.
In terms of persistence, the malware is designed to reactivate the system every time the device is restarted. It generates SSH keys automatically, allowing it to bypass authentication each time a user logs back in, thereby sustaining a continuous connection to the victim’s system.
To mitigate the risks associated with CRON#TRAP, security experts advise organizations to closely monitor for unusual processes such as “qemu.exe” that may appear in user-accessible folders. They also recommend adding QEMU and other virtualization tools to a block list. For critical devices, disabling the virtualization feature in the BIOS can help prevent exploitation by malicious code.
The CRON#TRAP campaign underscores a worrying trend among cybercriminals who are leveraging legitimate virtualization tools to infiltrate and maintain control over systems without detection. Organizations must heighten their vigilance and adopt preventive measures to safeguard their networks against these sophisticated attacks, in order to avoid significant security risks and potential data loss.
