Dangerous new phishing campaign infects Windows devices with malicious Linux VM

News
By published

Hackers find new ways to avoid triggering AV solutions

A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
(Image credit: Getty Images)
  • A phishing attack leads to the download of a large file
  • The Linux VM comes preloaded with malware, granting crooks all kinds of advantages
  • Securonix advises caution when handing inbound emails

A creative new phishing technique has been spotted that looks to trick victims into downloading and installing a virtual Linux machine on their Windows endpoints. The virtual machine comes preloaded with a backdoor, granting the crooks unabated access to the compromised devices.

A report from cybersecurity researchers Securonix dubbed the campaign ‘CRON#TRAP’. It starts with a fake “OneAmerica” survey which distributes the VM installation file (285 MB), and a fake error popup image.

If the victims fall for the trick and trigger the installer, it will run in the background, while showing the fake error message in the front. That way, the victims will think that the survey was unavailable at the time. In the background, though, a fully legit version of a Linux VM, called TinyCore, will be installed via QEMU, a legitimate, open-source virtualization tool that allows for emulating various hardware and processor architectures.

Tricking the AV

Since QEMU is legitimate, no antivirus programs flag it as malicious. Furthermore, they will not flag anything that happens in the virtual machine, since it is walled in and operates as a sandbox. “This emulated Linux environment enables the attacker to operate outside the visibility of traditional antivirus solutions,” the researchers explained.

However, since the VM comes with a backdoor, crooks can use it for a number of things, including network testing and initial reconnaissance, tool installation and preparation, payload manipulation and execution, configuration persistence and privilege escalation, SSH key manipulation for remote access, file and environment management, system and user enumeration, and potential exfiltration or command control channels.

The backdoor was said to contain a tool called Chisel, which is a network tunneling program, pre-configured to set up a secure communications channel with the C2 server.

Since the campaign starts with a simple phishing email, Securonix advises care when handling inbound emails.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
A hacker typing on a MacBook laptop with code on the screen.
This devious phishing site repurposes legitimate web elements like CAPTCHA pages for malware distribution
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Latest in News
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa Devices, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
More about security
Isometric demonstrating multi-factor authentication using a mobile device.

NCSC gets influencers to sing the praises of 2FA
Businessman holding a magnifier and searching for a hacker within a business team.

Cloud streaming hoster StreamElements confirms data breach following attack
A collage of a demasked Spider-Man, Captain Marvel staring into the camera, and Daredevil shouting

17 Marvel heroes I want to see added to the Avengers: Doomsday cast – Spider-Man, Ms Marvel, Wolverine, and more
See more latest
Most Popular
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa Devices, and it's about time
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
The cast of Black Mirror season 7
Everything new on Netflix in April 2025 – including Black Mirror season 7 and Love on the Spectrum
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 28 (game #1159)