Attackers distribute a custom QEMU-emulated Linux environment via a malicious .lnk file within a phishing email. When executed, this file installs and initiates a QEMU instance to run a Tiny Core Linux backdoor, enabling covert persistence on the victim's machine.
The .lnk file activates PowerShell to extract and run QEMU, renamed as fontdiag.exe, from a large, concealed zip archive.
This QEMU instance connects to a C2 server, maintaining a hidden presence through an emulated environment undetectable by most antivirus tools.
The emulated environment includes "PivotBox" settings with command aliases for direct interaction with the host, and command logs reveal steps like SSH setup, payload execution, and persistence configurations.
Attackers use legitimate software (QEMU) renamed and executed from uncommon directories, alongside SSH keys and script modifications, ensuring reliable access and minimal detection.
crondx, a Chisel-based backdoor, establishes a secure C2 channel via websockets, enabling encrypted data exfiltration and further payload deployment.
- ├── 002f9cd9ffa4b81301d003acd9fb3fbba1262e593b4f2e56a085b62a50e76510 start.bat
- ├── 0618bb997462f350bc4402c1a5656b38bedc278455823ac249fd5119868d3df4 OneAmerica Survey.lnk
- ├── 3e6a47da0a226a4c98fb53a06ec1894b4bfd15e73d0cea856b7d2a001cada7e9 crondx
- ├── 82a9747485fdd60360d28cd73671f171a8312b7d68b26fe1e2d472eb97c4fe59 mydata.tar
- ├── 9a33ea831edf83cb8775311963f52299f1488a89651bd3471cc8f1c70f08a36c crondx
- ├── bc7a34379602f9f061bdb94ec65e8e46da0257d511022a17d2555adbd4b1dd38 FontDiag.zip
- ├── ce26aac9ba7be60bfb998ba6add6b34da5a68506e9fea9844dc44bafe3cab676 OneAmerica Survey.zip
- └── f4229128ef642d299f7ab5fbcb6de75a17d12f30f22a3985044c8b1b44f1768f mydata.tar
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
Article Link: contagio: 2024-11-04 CRON#TRAP (Emulated Linux Environments) Samples