Unknown attackers are trying to trick Windows users into spinning up a custom Linux virtual machine (VM) with a pre-configured backdoor, Securonix researchers have discovered.
The campaign
The attack began with a phishing email, they believe, but they weren’t able to pinpoint the intendend victims.
The email included a link pointing to an unusually big ZIP file (285 MB), and its name – OneAmerica Survey.zip – points to the likely lure: a survey by OneAmerica Financial, a US company offering financial services.
“When the user extracts the archive, they’re presented with a single file (shortcut) ‘OneAmerica Survey’ and a ‘data’ directory containing the entire QEMU installation directory,” the researchers explained.
If the user clicks on the shortcut file, a process is started wherein:
- The ZIP file is “unzipped” and its contents put into the user’s profile directory into a directory called “datax”
- A batch processing (BAT) file is executed and it shows a decoy image saying there was an “Internal Server Error” while, in the background, a (renamed) QEMU process and command line is executed to start the emulated Tiny Core Linux environment
The customized Linux VM is meant to be used to create an interactive shell (essentially, a backdoor) on the host machine by initiating an SSH connection, through which the attackers can:
- Download additional malicious payloads
- Install additional tools on the machine
- Rename files
- Modify the system configuration
- Do basic reconnaissance via system and user enumeration
- Exfiltrate data
“Like a game of chess, the attackers prepped their environment with a strategy in mind. They systematically installed, tested, and executed multiple payloads and configurations, each preparing for the next phase,” the researchers noted.
“The use of bootlocal.sh and SSH keys indicates they’re aiming for a reliable presence on the machine. There were several times where they downloaded crondx files – pre-configured Chisel clients – from various URLs. The reasons for this were unknown, however we speculate that they could have been modifying the payload until it functions as expected.”
The decoy image (Source: Securonix)
The Chisel client comes pre-configured so that it automatically connects to a specified command and control (C2) server via websockets, thus opening a persistent backdoor through which the attackers can access the compromised environments.
Evading detection
Traditional antivirus solutions generally can’t (or don’t by default) scan very large files, and they also can’t view what’s happening in the emulated Linux environment.
“Chisel’s design makes it particularly effective for creating covert communication channels and tunneling through firewalls, often under the radar of network monitoring tools,” the researchers added.
“The attacker’s reliance on legitimate software like QEMU and Chisel adds an additional layer of evasion, as these tools are unlikely to trigger alerts in many environments.”
Securonix has shared indicators of compromise associated with this campaign and advises organizations to monitor common malware staging directories, monitor for instances of legitimate software being executed from unusual locations, use robust endpoint logging to aid in PowerShell detections.