2024-11-04 Securonix: CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging

Attackers distribute a custom QEMU-emulated Linux environment via a malicious .lnk file within a phishing email. When executed, this file installs and initiates a QEMU instance to run a Tiny Core Linux backdoor, enabling covert persistence on the victim's machine.

The .lnk file activates PowerShell to extract and run QEMU, renamed as fontdiag.exe, from a large, concealed zip archive.

This QEMU instance connects to a C2 server, maintaining a hidden presence through an emulated environment undetectable by most antivirus tools.

The emulated environment includes "PivotBox" settings with command aliases for direct interaction with the host, and command logs reveal steps like SSH setup, payload execution, and persistence configurations.

Attackers use legitimate software (QEMU) renamed and executed from uncommon directories, alongside SSH keys and script modifications, ensuring reliable access and minimal detection.

crondx, a Chisel-based backdoor, establishes a secure C2 channel via websockets, enabling encrypted data exfiltration and further payload deployment.