A new Linux virtual machine (VM) phishing attack, CRON#TRAP, has been targeting Windows users. First spotted by Securonix, this attack is disguised as a OneAmerica survey in the form of a 285MB ZIP file download sent via email. Once installed, the extracted file contains a backdoor that gives hackers access to not only the infected device but also the network that it’s connected to.
The Linux VM phishing campaign is especially dangerous because it can’t be detected easily. That’s because the attack uses QEMU, a digitally signed VM tool authorized to run Linux on Windows. It can’t view anything happening within the virtual environment, with the only security check being on QEMU itself.
The entire virtual machine’s backdoor also comes pre-configured, meaning that once installed, it’s already active and working. Additionally, even if users restart their device, it can reauthenticate itself and continue to run. Just one user falling for this attack can put an entire organization’s network at risk without anyone noticing.
How the Linux VM Phishing Attack Works
Understanding how the CRON#TRAP Linux VM phishing attack unfolds can help companies develop strategies to protect against it. This attack uses phishing tactics and a lack of email security to infect Windows computers.
How It Starts: The Phishing Email
The attack begins with a convincing phishing email posing as a message from “OneAmerica.” The email offers a survey link and includes a large ZIP file attachment. Inside the ZIP file is a Windows shortcut disguised as a survey link, which, when clicked, activates the attack.
Installation and Fake Error Message
When the shortcut is launched, it silently installs a Linux virtual machine (VM) on the victim’s device using a legitimate tool called QEMU. The attack displays a fake server error message covering up the installation, tricking the user into believing the survey didn’t load. This decoy keeps attention away from the hidden setup.
Gaining Backdoor Access
Once installed, the custom TinyCore Linux VM, ‘PivotBox,’ is equipped with a backdoor tool called Chisel. This tool allows secure communication with a remote command and control server. This setup gives hackers a private channel to the infected computer, bypassing typical network defenses like firewalls by tunneling data over secure connections.
An Ongoing Threat
For continuous access, the Linux VM is configured to launch automatically whenever the host device restarts. Hackers upload SSH keys to the system, making it easy to reconnect without reauthentication. Attackers can issue commands, monitor activity, and gather data through this hidden backdoor. That gives them complete control over the infected device and potentially the broader network.
What IT Teams Can Do To Stop This Linux VM Phishing Attack
To reduce the risk of Linux VM phishing attacks reaching users, IT teams need proactive strategies to catch these threats before they reach inboxes. Here are some different tips to consider:
- Use Advanced Email Filters: Set up filters that detect suspicious attachments or large files. These email filters can flag any large files from outside of the organization, like the 285MB ZIP used in the CRON#TRAP attack, and block them before they reach users.
- Scan Attachments for Safety: Use tools that scan email attachments for potential risks, especially ZIP files, which often hide malware. This scanning step reduces the chance of risky files making it to inboxes without review.
- Limit Emails from Unknown Senders: Create policies to control emails from unknown sources or apply extra checks for emails from outside domains. Limiting unknown senders helps catch phishing attempts that use unfamiliar or fake domains.
- Add SPF and DKIM Email Checks: Set up SPF and DKIM protocols to confirm that incoming emails are really from trusted sources. These protocols can prevent emails from pretending to be from reliable companies.
- Use Sandboxing for Risky Files: Sandboxing lets you test possibly harmful files in a controlled space before they’re delivered. This process safely checks for harmful actions without exposing users to real threats.
- Employ Anti-Spam Tools: Use specialized anti-spam solutions like SpamTitan to filter out phishing emails. These tools rely on real-time intelligence and machine learning to spot and quarantine suspicious messages before users see them.
Stopping phishing attempts from reaching users can significantly reduce the risk of threats like the Linux VM phishing attacks. Yet, no security method is perfect, so it’s also essential to educate users.
Awareness Training Is Key To Preventing Phishing
Cybersecurity awareness training is key to stopping threats like the Linux VM phishing attack CRON#TRAP. As phishing methods become bolder, employees need to recognize red flags. That can include unexpected survey links, large file downloads, or unusual file types. Regular training can also help build confidence and make it easier to spot unusual activity. Normalizing reports is also critical; people shouldn’t feel shy about reporting anything odd.
With the Linux VM phishing attack, there were many clear signs that something was wrong. Receiving a large download via email is suspicious in itself. And being for a survey was even stranger. However, that still didn’t stop users from downloading the 285MB ZIP file, extracting it, and installing it. That shows a major lack of awareness and understanding of how cyber threats work. Education is the only way to prevent that.
Cybersecurity Is a Group Effort
Beyond that, everyone needs to understand that cybersecurity is a group effort. As highlighted during Cybersecurity Awareness Month, “Secure Our World” is an ongoing theme. IT security teams can already prevent most threats from ever reaching users. Yet, the few cyber threats that do slip through can still be dangerous. That’s why cybersecurity awareness training has become just as important to businesses globally.
