Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Critical vulnerability in Anthropic MCP exposes machines for remote feats

July 1, 2025

Ta829 and Unk_greensec share tactics and infrastructure in current malware

July 1, 2025

A new drawback in the IDES as a Visual Studio code allows for malicious bypassing bypassing the verified status

July 1, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » New CRON#TRAP malware infects Windows by hiding in a Linux virtual machine to avoid antivirus
Global Security

New CRON#TRAP malware infects Windows by hiding in a Linux virtual machine to avoid antivirus

AdminBy AdminNovember 8, 2024No Comments3 Mins Read
Malware Linux VM
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


November 8, 2024Ravi LakshmananMalware / Virtualization

Linux VM malware

Cybersecurity researchers have identified a new malware campaign that infects Windows systems with a virtual instance of Linux that contains a backdoor capable of establishing remote access to compromised hosts.

An “intriguing” campaign under a code name CROWN#TRAPstarts with a malicious Windows Shortcut (LNK) file, which is likely distributed as a ZIP archive via a phishing email.

“What makes the CRON#TRAP campaign of particular concern is that the emulated Linux instance comes with a preconfigured backdoor that automatically connects to the attacker’s command and control (C2) server,” Securonix researchers Dan Yuzwick and Tim Peck said in the analysis.

Cyber ​​security

“This setup allows an attacker to maintain a stealthy presence on a victim’s machine, orchestrating further malicious activity in a hidden environment, making detection challenging for traditional antivirus solutions.”

The phishing messages purport to be a “OneAmerica survey” that comes with a large 285MB ZIP archive that, when opened, starts the infection process.

As part of the as-yet-unattributed attack campaign, the LNK file serves as a conduit to extract and run a Linux light user environment emulated through a fast emulator (QEMU), a legitimate open source virtualization tool. The virtual machine runs on Tiny Core Linux.

Linux VM malware

The shortcut then runs PowerShell commands that are responsible for re-extracting the ZIP file and executing a hidden “start.bat” script, which in turn displays a fake error message to the victim to make them think the survey link is no longer valid. exists. is working

But in the background, it creates a virtual QEMU Linux environment called PivotBox that comes with the Chisel tunneling utility pre-installed, providing remote access to the host immediately after the QEMU instance is started.

“The binary appears to be a preconfigured Chisel client designed to connect to a remote Command and Control (C2) server at 18.208.230(.)174 via websockets,” the researchers said. “The attackers’ approach effectively turns this Chisel client into a full backdoor, allowing remote control and management traffic to flow in and out of the Linux environment.”

Linux VM malware

This development is one of many constantly evolving tactics that threat actors are using to attack organizations and conceal malicious activity. The fact is that the phishing campaign that was spotted is aimed at manufacturing, engineering and industrial companies in European countries. deliver elusive GuLoader malware.

“Emails typically include requests for orders and contain an attached archive file,” Cado Security Researcher Tara Gould said. “Emails are sent from a variety of email addresses, including fake companies and hacked accounts. Emails usually hijack an existing mailing chain or request information about an order.’

Cyber ​​security

The activity, which mainly targeted countries such as Romania, Poland, Germany and Kazakhstan, begins with a batch file located in an archive file. The batch file embeds an obfuscated PowerShell script that then loads another PowerShell script from a remote server.

A secondary PowerShell script includes functionality to allocate memory and ultimately execute the GuLoader shellcode to produce the next stage’s payload.

“The Guloader malware continues to adapt its techniques to avoid detection to deliver RATs,” Gould said. “Threat actors are constantly targeting specific industries in specific countries. Its persistence underscores the need for proactive security measures.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Critical vulnerability in Anthropic MCP exposes machines for remote feats

July 1, 2025

Ta829 and Unk_greensec share tactics and infrastructure in current malware

July 1, 2025

A new drawback in the IDES as a Visual Studio code allows for malicious bypassing bypassing the verified status

July 1, 2025

New Mattery Model for Browser Safety: Closing Risk in Last Mile

July 1, 2025

Google Patches Critical Lack of Zero Day in the V8 Chrome engine after active operation

July 1, 2025

US arrests in North Korean IT -Work scheme; Captures 29 domains and raids 21 laptops

July 1, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Critical vulnerability in Anthropic MCP exposes machines for remote feats

July 1, 2025

Ta829 and Unk_greensec share tactics and infrastructure in current malware

July 1, 2025

A new drawback in the IDES as a Visual Studio code allows for malicious bypassing bypassing the verified status

July 1, 2025

New Mattery Model for Browser Safety: Closing Risk in Last Mile

July 1, 2025

Google Patches Critical Lack of Zero Day in the V8 Chrome engine after active operation

July 1, 2025

US arrests in North Korean IT -Work scheme; Captures 29 domains and raids 21 laptops

July 1, 2025

Microsoft Removes Password Management from Authenticator app since August 2025

July 1, 2025

American agencies warn of Iranian protection cyber growth, OT networks and critical infrastructure

June 30, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Critical vulnerability in Anthropic MCP exposes machines for remote feats

July 1, 2025

Ta829 and Unk_greensec share tactics and infrastructure in current malware

July 1, 2025

A new drawback in the IDES as a Visual Studio code allows for malicious bypassing bypassing the verified status

July 1, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.