Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Microsoft extends Windows 10 security updates on one year with new enrollment options

June 25, 2025

The new visa rule in the US requires from applicants to set privacy in social media for the public

June 24, 2025

Hackers focus on over 70 Microsoft Exchange servers to steal credentials via Keyloggers

June 24, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » New CRON#TRAP malware infects Windows by hiding in a Linux virtual machine to avoid antivirus
Global Security

New CRON#TRAP malware infects Windows by hiding in a Linux virtual machine to avoid antivirus

AdminBy AdminNovember 8, 2024No Comments3 Mins Read
Malware Linux VM
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


November 8, 2024Ravi LakshmananMalware / Virtualization

Linux VM malware

Cybersecurity researchers have identified a new malware campaign that infects Windows systems with a virtual instance of Linux that contains a backdoor capable of establishing remote access to compromised hosts.

An “intriguing” campaign under a code name CROWN#TRAPstarts with a malicious Windows Shortcut (LNK) file, which is likely distributed as a ZIP archive via a phishing email.

“What makes the CRON#TRAP campaign of particular concern is that the emulated Linux instance comes with a preconfigured backdoor that automatically connects to the attacker’s command and control (C2) server,” Securonix researchers Dan Yuzwick and Tim Peck said in the analysis.

Cyber ​​security

“This setup allows an attacker to maintain a stealthy presence on a victim’s machine, orchestrating further malicious activity in a hidden environment, making detection challenging for traditional antivirus solutions.”

The phishing messages purport to be a “OneAmerica survey” that comes with a large 285MB ZIP archive that, when opened, starts the infection process.

As part of the as-yet-unattributed attack campaign, the LNK file serves as a conduit to extract and run a Linux light user environment emulated through a fast emulator (QEMU), a legitimate open source virtualization tool. The virtual machine runs on Tiny Core Linux.

Linux VM malware

The shortcut then runs PowerShell commands that are responsible for re-extracting the ZIP file and executing a hidden “start.bat” script, which in turn displays a fake error message to the victim to make them think the survey link is no longer valid. exists. is working

But in the background, it creates a virtual QEMU Linux environment called PivotBox that comes with the Chisel tunneling utility pre-installed, providing remote access to the host immediately after the QEMU instance is started.

“The binary appears to be a preconfigured Chisel client designed to connect to a remote Command and Control (C2) server at 18.208.230(.)174 via websockets,” the researchers said. “The attackers’ approach effectively turns this Chisel client into a full backdoor, allowing remote control and management traffic to flow in and out of the Linux environment.”

Linux VM malware

This development is one of many constantly evolving tactics that threat actors are using to attack organizations and conceal malicious activity. The fact is that the phishing campaign that was spotted is aimed at manufacturing, engineering and industrial companies in European countries. deliver elusive GuLoader malware.

“Emails typically include requests for orders and contain an attached archive file,” Cado Security Researcher Tara Gould said. “Emails are sent from a variety of email addresses, including fake companies and hacked accounts. Emails usually hijack an existing mailing chain or request information about an order.’

Cyber ​​security

The activity, which mainly targeted countries such as Romania, Poland, Germany and Kazakhstan, begins with a batch file located in an archive file. The batch file embeds an obfuscated PowerShell script that then loads another PowerShell script from a remote server.

A secondary PowerShell script includes functionality to allocate memory and ultimately execute the GuLoader shellcode to produce the next stage’s payload.

“The Guloader malware continues to adapt its techniques to avoid detection to deliver RATs,” Gould said. “Threat actors are constantly targeting specific industries in specific countries. Its persistence underscores the need for proactive security measures.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Microsoft extends Windows 10 security updates on one year with new enrollment options

June 25, 2025

The new visa rule in the US requires from applicants to set privacy in social media for the public

June 24, 2025

Hackers focus on over 70 Microsoft Exchange servers to steal credentials via Keyloggers

June 24, 2025

Researchers find a way to close Cryptominer companies using bad stocks and Xmrogue

June 24, 2025

APT28 uses signal chat to expand malicious Beardhell ​​and Testament software in Ukraine

June 24, 2025

Talk CTEM we all need

June 24, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Microsoft extends Windows 10 security updates on one year with new enrollment options

June 25, 2025

The new visa rule in the US requires from applicants to set privacy in social media for the public

June 24, 2025

Hackers focus on over 70 Microsoft Exchange servers to steal credentials via Keyloggers

June 24, 2025

Researchers find a way to close Cryptominer companies using bad stocks and Xmrogue

June 24, 2025

APT28 uses signal chat to expand malicious Beardhell ​​and Testament software in Ukraine

June 24, 2025

Talk CTEM we all need

June 24, 2025

Hackers operate incorrectly configured API Docker to hand over cryptocurrency via Tor Network

June 24, 2025

US House forbids WhatsApp on official security and protection devices

June 24, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Microsoft extends Windows 10 security updates on one year with new enrollment options

June 25, 2025

The new visa rule in the US requires from applicants to set privacy in social media for the public

June 24, 2025

Hackers focus on over 70 Microsoft Exchange servers to steal credentials via Keyloggers

June 24, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.