Discovery of New Cyberattack Campaign CRON#TRAP
/ 3 min read
Quick take - The Securonix Threat Research team has identified a new cyberattack campaign called CRON#TRAP, which utilizes a sophisticated methodology involving phishing emails, a custom emulated Linux environment for malware staging, and advanced evasion techniques to maintain persistent access to compromised systems.
Fast Facts
- The CRON#TRAP cyberattack campaign utilizes a custom emulated Linux environment for malware staging, starting with phishing emails containing a malicious shortcut file.
- Victims are prompted to download a large zip file (“OneAmerica Survey.zip”), which, when extracted, reveals a shortcut and a hidden “data” directory with a QEMU installation.
- The QEMU process, disguised as “fontdiag.exe,” executes commands to launch the emulated environment, allowing attackers to maintain persistent access while evading detection.
- Attackers use a 64-bit ELF binary named crondx as a Chisel client for communication with a remote Command and Control (C2) server, employing techniques from the MITRE ATT&CK framework.
- Experts recommend avoiding unsolicited file downloads, monitoring potential malware staging directories, and implementing robust endpoint logging to detect such sophisticated threats.
Discovery of CRON#TRAP Cyberattack Campaign
The Securonix Threat Research team has announced the discovery of a new cyberattack campaign named CRON#TRAP. This campaign showcases an advanced methodology that leverages a custom-made emulated Linux environment for malware staging.
Attack Methodology
The attack begins with phishing emails containing a malicious shortcut (.lnk) file. These emails prompt victims to download a large zip file titled “OneAmerica Survey.zip.” The zip file is notably large at 285MB, which may raise suspicions among potential targets. Upon extraction, the zip file reveals a shortcut file and a hidden “data” directory. This directory houses the QEMU installation.
The shortcut file is designed to link to the system’s PowerShell process. It executes commands that extract and launch the emulated environment via QEMU. The QEMU process is cleverly disguised as “fontdiag.exe,” helping it evade traditional detection methods. Once executed, the emulated Linux instance operates silently in the background, complicating any forensic analysis efforts.
Technical Sophistication
The attackers utilized a version of Tiny Core Linux for their emulation. They configured the environment with a backdoor connecting to an attacker-controlled Command and Control (C2) server, allowing them to maintain persistent access to the compromised machine while effectively evading detection by conventional antivirus solutions.
Within the emulated environment, the attackers showcased their technical sophistication. They used a customized interface labeled “PivotBox,” which included options for interaction. Analysis of the command history indicates network testing and installation of various tools, including vim, file, and openssh, suggesting preparations for remote access and further modifications. The use of SSH keys points to a strategy for maintaining persistent access across system reboots.
The campaign employs a main executable named crondx. Crondx is a 64-bit ELF binary compiled in Go, acting as a Chisel client for C2 communication. Pre-configured to connect to a remote C2 server via websockets, this Chisel client provides a reliable backdoor for the attackers.
Recommendations for Users
The overall approach of the CRON#TRAP campaign integrates techniques outlined in the MITRE ATT&CK framework, including phishing, command and control, and defense evasion. In response to this emerging threat, experts recommend that users avoid downloading unsolicited files. They also advise closely monitoring directories that may be staging grounds for malware. Implementing robust endpoint logging is suggested to detect such sophisticated intrusions.
Relevant C2 addresses and analyzed file hashes have been made available for further investigation, underscoring the importance of vigilance in cybersecurity practices.
Original Source: Read the Full Article Here
