The infections continue in the Windows environment and, on this occasion, the threat is camouflaged in a phishing email that anyone could receive in their email. This shipment includes an executable that is responsible for carrying out the infection and getting users into trouble.
Security experts continue to warn of new threats and the latest is called CRON#TRAP. As reported, the virus that is hidden in the phishing email is a Linux virtual machine that gives hackers wings so they can do their thing on infected computers.
Virtual machines again
In recent times, hackers have found installing virtual machines a very convenient way to carry out their attacks. They have great attack capacity at their disposal and, once installed, they have all kinds of possibilities to take advantage of. However, one of the problems with this attack strategy is that, first, hackers have to sneak the virtual machine through a network to which the computer is connected. Therefore, it is not as easy as you might imagine.
The problem is that now, through this new method, they have seen a way to bypass that impediment and speed up the attack process. Clearly, it seems much easier to send a phishing email and be successful than to sneak into a network that, in the case of companies, is surely well protected.
Virus hidden behind a survey
The strategy that hackers have chosen in this case, which has been discovered by Securonix, consists of cybercriminals sending an email to their potential victims. That email comes disguised as a survey under the name OneAmerica. What users do not know is that, in the email, an installation file for the virtual machine in question is hidden.
Users are asked, with a good dose of corporate verbiage involved, to install the file, which appears under the name OneAmerica Survey.lnk. It is inside a ZIP file that tries to convey confidence and does not show that there is a Linux virtual machine hidden in its background. So that victims do not suspect what is happening, while the virtual machine is being installed, an error message appears on the screen simulating that there is a problem with the survey. Meanwhile, the TinyCore Linux VM installation is completed using QEMU, an application that Windows does not detect as malicious because it actually has other uses. Hackers simply use it without Microsoft’s operating system realizing that something bad is happening around it.
From there, hackers can now use the backdoor that they have installed on the computer to carry out all kinds of actions. In this process, a tool known as Chisel is used that enables control of the victim’s network and also allows the hacker to configure different coverages. For example, what they do is configure the system so that, every time the user restarts their computer or network, the virus continues doing its thing and even avoids having to make double identifications.
Possibilities that hackers can make use of include monitoring the victim’s activity, controlling processes, or extracting data and files. Overall, hackers have control over much more than affected users would have imagined. Fortunately, or unfortunately for those who suffer from it, this threat seems to be concentrated in corporate networks of companies, although it is still worrying to see the ways in which these infections are advancing. Experts recommend blocking the presence of QEMU on computers since it has already been used on several occasions with similar objectives.
