QEMU Hijacked: New Attack Uses Virtualization Tool to Deploy Backdoors
Securonix specialists have uncovered an unusual cyberattack named CRON#TRAP. The hackers employ a malicious shortcut which, when executed, initiates a concealed customized version of Linux through the QEMU program. This mechanism enables attackers to stealthily maintain a presence on the victim’s computer and exercise control over it, bypassing security software.
QEMU is a legitimate virtualization tool, so its presence typically raises no suspicions. In this attack, the perpetrators configured QEMU to run a minimal Linux distribution—Tiny Core Linux with an embedded backdoor. This setup automatically connects to a C2 server, granting hackers persistent access to control the system.
Researchers believe the infection originated from a phishing email. The email contained a file named “OneAmerica Survey.zip,” a 285 MB archive with a shortcut and a directory including QEMU. When the user extracts the archive, only the shortcut is visible, and upon activation, it triggers a series of actions: first displaying an error message, then launching QEMU disguised as a file named “fontdiag.exe.” In this hidden Linux environment, hackers can interact with the host system using specific commands, such as retrieving user data.
Moreover, in the virtual system PivotBox, attackers installed tools that facilitate network monitoring, file uploads, and system modifications. One key tool, “crondx,” is a modified version of the Chisel program. This tool allows data to be covertly transferred across firewalls, creating a persistent encrypted connection to the hackers’ server.
This method of intrusion demands advanced skills and the use of legitimate tools, making detection challenging. Securonix advises against downloading files from unknown sources, particularly email-sent archives. Additionally, users should inspect system directories for suspicious files and enable logging to monitor PowerShell activities, aiding in timely detection of intrusion attempts.
