Beware of Phishing Emails Delivering Backdoored Linux VMs
Summary:
Researchers at Securonix recently uncovered a sophisticated phishing campaign where attackers trick Windows users into launching a custom Linux virtual machine (VM) with a pre-configured backdoor. This campaign appears to start with a phishing email, though researchers were unable to pinpoint the exact target group. The email includes a link to a sizable ZIP file, “OneAmerica Survey[.]zip,” likely designed to mimic a survey from OneAmerica Financial, a U.S.-based financial services company. Once downloaded, the 285 MB ZIP file contains a shortcut file labeled "OneAmerica Survey" and a "data" folder containing QEMU, a popular open-source virtualization tool.
When users click on the shortcut, a chain of actions unfolds in the background. The ZIP file unpacks its contents into the user’s profile, creating a new directory named “datax.” A batch file then executes, showing a misleading “Internal Server Error” image to the user while stealthily launching a renamed QEMU process. This process initiates an emulated Tiny Core Linux environment within the Windows system. The Linux VM acts as a backdoor, allowing the attackers to establish an interactive shell on the victim’s machine via SSH. With this access, attackers can retrieve additional malicious payloads, install tools, rename files, modify system configurations, conduct reconnaissance through system and user enumeration, and exfiltrate sensitive data.
Security Officer Comments:
One of the key elements of this attack is the Chisel client, which the attackers pre-configured to automatically connect to a command-and-control server via web sockets. This setup opens a covert, persistent backdoor, providing the attackers continuous access to the compromised systems. Chisel is particularly effective for creating hidden communication channels and bypassing network firewalls, often evading network monitoring tools. In a unique twist, this campaign capitalizes on legitimate tools like QEMU and Chisel, which are unlikely to raise red flags in most security environments, as they are commonly used in legitimate settings. Traditional antivirus solutions often skip scanning large files by default and struggle to monitor activities within the Linux VM, creating an effective blind spot.
Suggested Corrections:
https://www.helpnetsecurity.com/2024/11/05/phishing-oneamerica-survey-linux-vm-backdoor/
https://www.securonix.com/blog/cron..ents-as-the-latest-tactic-in-malware-staging/
Researchers at Securonix recently uncovered a sophisticated phishing campaign where attackers trick Windows users into launching a custom Linux virtual machine (VM) with a pre-configured backdoor. This campaign appears to start with a phishing email, though researchers were unable to pinpoint the exact target group. The email includes a link to a sizable ZIP file, “OneAmerica Survey[.]zip,” likely designed to mimic a survey from OneAmerica Financial, a U.S.-based financial services company. Once downloaded, the 285 MB ZIP file contains a shortcut file labeled "OneAmerica Survey" and a "data" folder containing QEMU, a popular open-source virtualization tool.
When users click on the shortcut, a chain of actions unfolds in the background. The ZIP file unpacks its contents into the user’s profile, creating a new directory named “datax.” A batch file then executes, showing a misleading “Internal Server Error” image to the user while stealthily launching a renamed QEMU process. This process initiates an emulated Tiny Core Linux environment within the Windows system. The Linux VM acts as a backdoor, allowing the attackers to establish an interactive shell on the victim’s machine via SSH. With this access, attackers can retrieve additional malicious payloads, install tools, rename files, modify system configurations, conduct reconnaissance through system and user enumeration, and exfiltrate sensitive data.
Security Officer Comments:
One of the key elements of this attack is the Chisel client, which the attackers pre-configured to automatically connect to a command-and-control server via web sockets. This setup opens a covert, persistent backdoor, providing the attackers continuous access to the compromised systems. Chisel is particularly effective for creating hidden communication channels and bypassing network firewalls, often evading network monitoring tools. In a unique twist, this campaign capitalizes on legitimate tools like QEMU and Chisel, which are unlikely to raise red flags in most security environments, as they are commonly used in legitimate settings. Traditional antivirus solutions often skip scanning large files by default and struggle to monitor activities within the Linux VM, creating an effective blind spot.
Suggested Corrections:
- As this campaign likely started using phishing emails, avoid downloading files or attachments from external sources, especially if the source was unsolicited. Common file types include zip, rar, iso, and pdf.
- Additionally, external links to download these kinds of files should be considered equally dangerous. Zip files, sometimes password-protected, were used during this campaign.
- Monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged their QEMU instance from the user’s home directory at: %HOME%\datax.
- Monitor for the use of legitimate software being executed from unusual locations.
- It’s strongly recommended to deploy robust endpoint logging capabilities to aid in PowerShell detections. This includes leveraging additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.
https://www.helpnetsecurity.com/2024/11/05/phishing-oneamerica-survey-linux-vm-backdoor/
https://www.securonix.com/blog/cron..ents-as-the-latest-tactic-in-malware-staging/