Qemu is a legitimate tool for virtualization, so its presence typically does not raise suspicions. In this attack, the hackers configured Qemu to initiate a small version of Linux – Tiny Core Linux with a built-in backdoor. This program automatically connects to the C2 server, granting hackers continuous access to manipulate the system.
According to researchers, the infection likely began with a phishing email. The email contained a 285 MB file named Oneamerica Survey.zip, which included a label and a directory with Qemu. Upon extracting the archive, the user only sees a shortcut that triggers a series of actions when launched: displaying an error message first, followed by the execution of Qemu disguised as a file named “fontdiag.exe”. Within the hidden Linux environment, hackers can operate within the main system using specific commands to extract user data.
Furthermore, within the PivotBox virtual system, the attackers deployed tools to monitor the network, download files, and preserve changes. One crucial tool used is the Crondx file, which is a modified version of the Chisel program. This tool facilitates covert data transmission through firewalls, establishing a persistent encrypted connection with the hackers’ server.
This sophisticated hacking technique involves advanced skills and the utilization of legitimate tools, making detection challenging. Securonix recommends refraining from downloading files from unfamiliar sources, particularly archives received via email. It is also advised to inspect system folders for suspicious files and enable journaling to monitor PowerShell activities to promptly identify attempts by attackers to breach the system.