Linux malware installed on Windows systems via fake survey emails

Businesses using Linux virtual machines need to pay close attention to cybersecurity. A type of malware may be lurking within systems, exploiting Windows vulnerabilities and attacking servers at any time when users download suspicious files from fake survey emails.

Fake survey emails distributing Linux malware to Windows systems

According to Bleeping Computer, security researchers at Securonix (USA) have uncovered a new cyberattack campaign called CRON#TRAP, targeting various organizations through phishing emails (quishing). Many insurance companies, customer service sectors, and businesses regularly send survey emails to customers to collect feedback and opinions. Exploiting this practice, hackers have been sending fake survey emails to users to hijack accounts and steal information. These phishing emails include a large 285 MB ZIP file containing a Linux virtual machine pre-installed with malware. When users extract this file, a PowerShell command automatically activates, extracting the data and installing the virtual machine onto the Windows system.

How the Linux malware operates?

The Linux virtual machine operates via QEMU, a legitimate software tool that does not trigger security alerts. During installation, it displays a fake error image, creating the impression that the survey link is broken to distract victims while the malware silently runs within the virtual machine.

This malicious virtual machine includes a tool called Chisel, which enables secure communication channels through HTTP and SSH protocols with the attackers’ command-and-control server. Using this access, hackers can remotely infiltrate the system without being blocked by firewalls. They can execute commands like "get-host-shell" to open a command-line interface on the system or "get-host-user" to identify user privileges, enhancing their ability to control the system. This enables them to perform dangerous actions such as monitoring, stealing data, or deploying additional malware.

To maintain long-term access, the malware automatically restarts with the system every time the device is powered on. It also generates SSH keys automatically, allowing it to bypass authentication steps for future logins, ensuring a persistent connection to the victim's system.

How to prevent Linux malware?

In response to threats like CRON#TRAP, cybersecurity experts recommend that businesses monitor suspicious processes, such as "qemu.exe," appearing in easily accessible user directories. Additionally, QEMU and other virtualization tools should be added to blocklists. For critical devices, it’s advisable to disable virtualization features in the BIOS to prevent malware from exploiting them.

Enhancing physical authentication with security keys is also crucial to stop hackers from leveraging malware to steal accounts and login credentials.

See more: Security solutions and services

Linux malware poses a significant cybersecurity risk to businesses, potentially leading to stolen information, disrupted operations, and severe financial and reputational damage. Consequently, businesses must remain vigilant against sophisticated phishing tactics and enhance their security measures. Strengthening cybersecurity solutions and monitoring information security systems are essential to safeguarding corporate networks.

See more: HCapollo - Cyber security monitoring and alert solution

Source: Thanh Nien News

If you want to learn more about Information Security Monitoring Services, feel free to contact HPT now!

📞

Hotline

028 38 266 206

📧

Email

[email protected]

🌐

Website

https://hpt.vn

Arabic	Hebrew	Polish
Bulgarian	Hindi	Portuguese
Catalan	Hmong Daw	Romanian
Chinese Simplified	Hungarian	Russian
Chinese Traditional	Indonesian	Slovak
Czech	Italian	Slovenian
Danish	Japanese	Spanish
Dutch	Klingon	Swedish
English	Korean	Thai
Estonian	Latvian	Turkish
Finnish	Lithuanian	Ukrainian
French	Malay	Urdu
German	Maltese	Vietnamese
Greek	Norwegian	Welsh
Haitian Creole	Persian