Securonix Threat Research has discovered a sophisticated phishing campaign, “CRON#TRAP,” that leverages a unique approach to infiltrate systems and establish persistent backdoors. This creative attack method involves deploying emulated Linux environments within compromised endpoints, specifically Tiny Core Linux.
Multi-Stage Attack Process of CRON#TRAP - The CRON#TRAP campaign employs a multi-stage attack method to compromise target systems and establish persistent backdoors. The initial infection vector typically involves a phishing email containing a malicious ZIP and a shortcut file (OneAmerica Survey.zip and OneAmerica Survey.lnk).
The malicious attachment is often disguised as a legitimate document, such as a survey or software update, to trick users into executing it. When executed, this shortcut file downloads the extensive ZIP archive containing the components for the emulated Linux environment.
Emulated Linux Environment Deployment - The downloaded archive includes a custom distribution, Tiny Core Linux, and the QEMU virtualization tool. The batch file ‘start.bat’ displays a server error message, indicating a server-side survey link issue. The script executes the QEMU process and command line to start an emulated Linux environment, creating a concealed environment for the attacker’s activities. The explorer.exe process executes an HTTPS-hosted image, which the user’s default browser displays. This further allows the attacker to mask the activity as legitimate system behavior, avoiding detection.
Screenshot: Securonix
Installation of the Chisel Tunneling Tool - The attacker installs a pre-configured Chisel client within the emulated Linux environment. This tunneling tool establishes a covert communication channel with a remote command-and-control (C&C) server. Attackers establish secure tunnels over HTTP and SSH protocols through the Chisel tunneling tool. The tool is configured with specific settings, such as the target C&C server address, port number, and encryption parameters, allowing it to connect to the attacker’s infrastructure automatically.
The Chisel client is executed within the emulated Linux environment, activating the backdoor whenever the system boots or is started. This secure, encrypted connection enables attackers to transmit data and commands between the compromised system and the attacker’s infrastructure.
This secure connection allows attackers to execute arbitrary commands, download malware, steal sensitive data, manipulate system settings, exfiltrate sensitive data, deploy persistence mechanisms, modify registry settings, create scheduled tasks, install rootkits, and spread to other network systems.
Evasion Techniques Using Legitimate Tools - By disguising malicious activity within a legitimate virtualization tool, QEMU, attackers can bypass traditional security measures and establish a stealthy foothold. Using the Chisel tunneling tool also allows attackers to maintain persistent access and execute further malicious actions. “The attacker’s reliance on legitimate software like QEMU and Chisel adds a layer of evasion, as these tools are unlikely to trigger alerts in many environments,” the report read.
The CRON#TRAP campaign highlights cybercriminals’ evolving tactics, including emulating environments and legitimate software abuse. This method allows attackers to gain persistent access to compromised systems, underscoring the importance of attention against suspicious emails.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments