Cybersecurity researchers have identified a new malware campaign that infects Windows systems with a virtual instance of Linux that contains a backdoor capable of establishing remote access to compromised hosts.
An “intriguing” campaign under a code name CROWN#TRAPstarts with a malicious Windows Shortcut (LNK) file, which is likely distributed as a ZIP archive via a phishing email.
“What makes the CRON#TRAP campaign of particular concern is that the emulated Linux instance comes with a preconfigured backdoor that automatically connects to the attacker’s command and control (C2) server,” Securonix researchers Dan Yuzwick and Tim Peck said in the analysis.
“This setup allows an attacker to maintain a stealthy presence on a victim’s machine, orchestrating further malicious activity in a hidden environment, making detection challenging for traditional antivirus solutions.”
The phishing messages purport to be a “OneAmerica survey” that comes with a large 285MB ZIP archive that, when opened, starts the infection process.
As part of the as-yet-unattributed attack campaign, the LNK file serves as a conduit to extract and run a Linux light user environment emulated through a fast emulator (QEMU), a legitimate open source virtualization tool. The virtual machine runs on Tiny Core Linux.
The shortcut then runs PowerShell commands that are responsible for re-extracting the ZIP file and executing a hidden “start.bat” script, which in turn displays a fake error message to the victim to make them think the survey link is no longer valid. exists. is working
But in the background, it creates a virtual QEMU Linux environment called PivotBox that comes with the Chisel tunneling utility pre-installed, providing remote access to the host immediately after the QEMU instance is started.
“The binary appears to be a preconfigured Chisel client designed to connect to a remote Command and Control (C2) server at 18.208.230(.)174 via websockets,” the researchers said. “The attackers’ approach effectively turns this Chisel client into a full backdoor, allowing remote control and management traffic to flow in and out of the Linux environment.”
This development is one of many constantly evolving tactics that threat actors are using to attack organizations and conceal malicious activity. The fact is that the phishing campaign that was spotted is aimed at manufacturing, engineering and industrial companies in European countries. deliver elusive GuLoader malware.
“Emails typically include requests for orders and contain an attached archive file,” Cado Security Researcher Tara Gould said. “Emails are sent from a variety of email addresses, including fake companies and hacked accounts. Emails usually hijack an existing mailing chain or request information about an order.’
The activity, which mainly targeted countries such as Romania, Poland, Germany and Kazakhstan, begins with a batch file located in an archive file. The batch file embeds an obfuscated PowerShell script that then loads another PowerShell script from a remote server.
A secondary PowerShell script includes functionality to allocate memory and ultimately execute the GuLoader shellcode to produce the next stage’s payload.
“The Guloader malware continues to adapt its techniques to avoid detection to deliver RATs,” Gould said. “Threat actors are constantly targeting specific industries in specific countries. Its persistence underscores the need for proactive security measures.”
