Subj : Dangerous new phishing ca
To   : Mike Powell
From : Ed Vance
Date : Wed Nov 27 2024 15:19:48


> Dangerous new phishing campaign infects Windows devices with malicious Linux
> VM

> Date:
> Tue, 05 Nov 2024 12:42:25 +0000

> Description:
> Hackers found new ways to avoid triggering AV solutions while fiddling with
> people's PCs.


> FULL STORY
> ======================================================================A
> phishing attack leads to the download of a large file The Linux VM comes
> preloaded with malware, granting crooks all kinds of advantages Securonix
> advises caution when handing inbound emails

> A creative new phishing technique has been spotted that looks to trick
> victims into downloading and installing a virtual Linux machine on their
> Windows endpoints. The virtual machine comes preloaded with a backdoor ,
> granting the crooks unabated access to the compromised devices.

> A report from cybersecurity researchers Securonix dubbed the campaign
> CRON#TRAP. It starts with a fake OneAmerica survey which distributes the VM
> installation file (285 MB), and a fake error popup image.

> If the victims fall for the trick and trigger the installer, it will run in
> the background, while showing the fake error message in the front. That way,
> the victims will think that the survey was unavailable at the time. In the
> background, though, a fully legit version of a Linux VM, called TinyCore,
> will be installed via QEMU, a legitimate, open-source virtualization tool
> that allows for emulating various hardware and processor architectures.
> Tricking the AV

> Since QEMU is legitimate, no antivirus programs flag it as malicious.
> Furthermore, they will not flag anything that happens in the virtual machine,
> since it is walled in and operates as a sandbox. This emulated Linux
> environment enables the attacker to operate outside the visibility of
> traditional antivirus solutions, the researchers explained.

> However, since the VM comes with a backdoor, crooks can use it for a number
> of things, including network testing and initial reconnaissance, tool
> installation and preparation, payload manipulation and execution,
> configuration persistence and privilege escalation, SSH key manipulation for
> remote access, file and environment management, system and user enumeration,
> and potential exfiltration or command control channels.

> The backdoor was said to contain a tool called Chisel, which is a network
> tunneling program, pre-configured to set up a secure communications channel
> with the C2 server.

> Since the campaign starts with a simple phishing email, Securonix advises
> care when handling inbound emails.

>  Via BleepingComputer

> ======================================================================
> Link to news story: https://www.techradar.com/pro/security/dangerous-new-phis
> hing-campaign-infects -windows-devices-with-malicious-linux-vm

> $$

>  * SLMR 2.1a * Alpha testers do it first!

Thanks Mike, it looks like interesting reading.
I bookmarked the Techradar link and their Home Page.

Ky has it right about CLICK HERE.
Ed
--- SBBSecho 3.20-Linux
 * Origin: ILink: CCO - capitolcityonline.net (454:3/105)

.