CRON#TRAP is a new phishing attack using emulated Linux environments to bypass security and establish persistent backdoors. Leveraging QEMU and Chisel, hackers gain covert access to steal data and control systems.
Securonix Threat Research has discovered a sophisticated phishing campaign, “CRON#TRAP,” that leverages a unique approach to infiltrate systems and establish persistent backdoors. This creative attack method involves deploying emulated Linux environments within compromised endpoints, specifically Tiny Core Linux.
Multi-Stage Attack Process of CRON#TRAP
The CRON#TRAP campaign employs a multi-stage attack method to compromise target systems and establish persistent backdoors. The initial infection vector typically involves a phishing email containing a malicious ZIP and a shortcut file (named OneAmerica Survey.zip and OneAmerica Survey.lnk).
The malicious attachment is often disguised as a legitimate document, such as a survey or software update, to trick users into executing it. When executed, this shortcut file downloads the large ZIP archive, which contains the necessary components for the emulated Linux environment.
Emulated Linux Environment Deployment
The downloaded archive includes a custom Linux distribution, such as Tiny Core Linux, and the QEMU virtualization tool. The batch file ‘start.bat’ displays a server error message, indicating a server-side survey link issue. The script executes the QEMU process and command line to start an emulated Linux environment, creating a concealed environment for the attacker’s activities.
The explorer.exe process executes an HTTPS-hosted image, which the user’s default browser displays. This allows the attacker to further mask the activity as legitimate system behaviour, avoiding detection.
Installation of the Chisel Tunneling Tool
Within the emulated Linux environment, the attacker installs a pre-configured Chisel client, a tunneling tool that establishes a covert communication channel with a remote command-and-control (C&C) server. Through the Chisel tunneling tool, attackers establish secure tunnels over HTTP and SSH protocols.
The tool is configured with specific settings, such as the target C&C server address, port number, and encryption parameters, allowing it to automatically connect to the attacker’s infrastructure.
The Chisel client is executed within the emulated Linux environment, activating the backdoor whenever the system boots or is started. This secure, encrypted connection enables attackers to transmit data and commands between the compromised system and the attacker’s infrastructure.
This secure connection allows attackers to execute arbitrary commands, download malware, steal sensitive data, manipulate system settings, exfiltrate sensitive data, deploy persistence mechanisms, modify registry settings, create scheduled tasks, install rootkits, and spread to other network systems.
Evasion Techniques Using Legitimate Tools
By disguising malicious activity within a legitimate virtualization tool, QEMU, attackers can bypass traditional security measures and establish a stealthy foothold. Additionally, using the Chisel tunneling tool allows attackers to maintain persistent access and execute further malicious actions.
“The attacker’s reliance on legitimate software like QEMU and Chisel adds an additional layer of evasion, as these tools are unlikely to trigger alerts in many environments,” the report read.
The CRON#TRAP campaign highlights cybercriminals’ evolving tactics, including emulating environments and legitimate software abuse. This method allows attackers to gain persistent access to compromised systems, underscoring the importance of attention against suspicious emails.