New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus

New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus

Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts.

The "intriguing" campaign, codenamed CRON#TRAP, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email.

"What makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled command-and-control (C2) server," Securonix researchers Den Iuzvyk and Tim Peck said in an analysis.

"This setup allows the attacker to maintain a stealthy presence on the victim's machine, staging further malicious activity within a concealed environment, making detection challenging for traditional antivirus solutions."

The phishing messages purport to be an "OneAmerica survey" that comes with a large 285MB ZIP archive that, when opened, triggers the infection process.

As part of the as-yet-unattributed attack campaign, the LNK file serves as a conduit to extract and initiate a lightweight, custom Linux environment emulated through Quick Emulator (QEMU), a legitimate, open-source virtualization tool. The virtual machine runs on Tiny Core Linux.

The shortcut subsequently launches PowerShell commands responsible for re-extracting the ZIP file and executing a hidden "start.bat" script, which, in turn, displays a fake error message to the victim to give them the impression that the survey link is no longer working.

But in the background, it sets up the QEMU virtual Linux environment referred to as PivotBox, which comes preloaded with the Chisel tunneling utility, granting remote access to the host immediately following the startup of the QEMU instance.

"The binary appears to be a pre-configured Chisel client designed to connect to a remote Command and Control (C2) server at 18.208.230[.]174 via websockets," the researchers said. "The attackers' approach effectively transforms this Chisel client into a full backdoor, enabling remote command and control traffic to flow in and out of the Linux environment."

The development is one of the many constantly evolving tactics that threat actors are using to target organizations and conceal malicious activity — case in point is a spear-phishing campaign that has been observed targeting electronic manufacturing, engineering, and industrial companies in European countries to deliver the evasive GuLoader malware.

"The emails typically include order inquiries and contain an archive file attachment," Cado Security researcher Tara Gould said. "The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order."

The activity, which has mainly targeted countries like Romania, Poland, Germany, and Kazakhstan, starts with a batch file present within the archive file. The batch file embeds an obfuscated PowerShell script that subsequently downloads another PowerShell script from a remote server.

The secondary PowerShell script includes functionality to allocate memory and ultimately execute the GuLoader shellcode to ultimately fetch the next-stage payload.

"Guloader malware continues to adapt its techniques to evade detection to deliver RATs," Gould said. "Threat actors are continually targeting specific industries in certain countries. Its resilience highlights the need for proactive security measures."

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.