Cybersecurity researchers have discovered a new malware campaign that targets Windows systems by hiding in a Linux virtual machine. The campaign, called CRON#TRAP, starts with a malicious Windows shortcut file that is likely sent through a phishing email. The shortcut file extracts and starts a custom Linux environment using an open-source tool called Quick Emulator (QEMU).
The virtual machine runs on a lightweight version of Linux called Tiny Core Linux. The shortcut also launches PowerShell commands that set up the QEMU virtual Linux environment, which is called PivotBox. This environment is preloaded with a tool called Chisel that grants remote access to the Windows host as soon as the QEMU instance starts up.
Researchers noted that the Chisel client in the Linux environment is designed to connect to a remote command and control server.
New malware hides using virtual machine
This allows the attacker to have a hidden presence on the victim’s machine and stage further attacks from within the concealed Linux environment.
This makes the malware hard to detect by traditional antivirus solutions. The campaign has primarily targeted countries like Romania, Poland, Germany, and Kazakhstan. The phishing emails often include an archive file attachment and are sent from various fake or compromised email accounts.
When the archive file is opened, it runs a script that downloads malware to take control of the victim’s system. Researchers say that threat actors are constantly adapting their techniques to evade detection. They stress the need for proactive security measures to defend against these evolving threats.