A recent malware campaign uses a Linux virtual instance with a backdoor to infect Windows systems. Codenamed CRON#TRAP, the "intriguing" campaign begins with a malicious Windows shortcut (LNK) file that is probably sent via phishing email as a ZIP archive. The phishing emails pose as a "OneAmerica survey" and include a sizable 285MB ZIP file that, upon opening, initiates the infection process.
However, in the background, it configures PivotBox, a QEMU virtual Linux environment that comes pre-installed with the Chisel tunneling tool, allowing remote access to the host as soon as the Qemu instance is started. Threat actors use a variety of ever-evolving strategies, including this one, to target organizations and hide malicious activity. According to Tara Gould, a researcher at Cado Security, the activity has primarily targeted nations like Romania, Poland, Germany, and Kazakhstan.
"Guloader malware continues to adapt its techniques to evade detection to deliver RATs," according to Gould. "Threat actors consistently target particular industries in particular nations. Its tenacity emphasizes the necessity of preventative security measures," she stated.
As of yet, no particular business or person is thought to be connected to the campaign. According to her, it has been seen delivering the evasive Gu Loader malware to electronic manufacturing, engineering, and industrial companies in European nations. She continues, "It's unclear if the campaign has been identified or if it's being targeted by a nation-state or a state-based intelligence agency, but it's a serious threat." Conventional antivirus programs are unlikely to be able to identify the threat.
.webp%3Fw%3D1068%26resize%3D1068%2C0%26ssl%3D1&w=3840&q=75)