A novel malware operation has been identified by cybersecurity experts, leveraging a hidden Linux virtual machine to infiltrate Windows systems. This stealthy campaign, dubbed CRON#TRAP, employs a Linux environment containing a covert backdoor to establish remote access to compromised devices, circumventing traditional antivirus detection methods.
The campaign is initiated by a malicious Windows shortcut (LNK) file, likely concealed within a ZIP archive disseminated through phishing emails. These phishing messages are designed to appear as legitimate “OneAmerica survey” invitations, with a large 285MB ZIP file attachment. When unsuspecting users open this attachment, it triggers the malware’s deployment.
According to researchers Den Iuzvyk and Tim Peck from Securonix, “The CRON#TRAP campaign stands out due to its Linux-based emulated instance, preconfigured with a backdoor that seamlessly connects to an attacker-controlled command-and-control (C2) server.” This infrastructure grants the attacker prolonged, clandestine control over the victim’s machine, enabling further malicious activities without detection.
The shortcut file, part of an attack not yet attributed to any specific group, extracts and initiates a compact Linux environment via Quick Emulator (QEMU), an open-source virtualization tool that hosts Tiny Core Linux. Once launched, PowerShell commands re-extract the ZIP file contents and execute a hidden “start.bat” script. This script displays a misleading error message suggesting that the survey link is broken, while stealthily setting up a virtual environment, PivotBox, which runs a preconfigured version of Chisel—a tunneling tool that instantly opens remote access pathways.
Securonix researchers added, “This binary behaves as a Chisel client configured to connect with a remote C2 server at IP 18.208.230[.]174 via websockets.” The attackers have effectively transformed Chisel into a backdoor, enabling command-and-control traffic to seamlessly pass through the Linux environment within the host system.
CRON#TRAP’s sophisticated tactics are part of a larger trend among cyber actors who continue to innovate in concealing malicious operations. Similar efforts include a spear-phishing campaign that specifically targets sectors such as electronic manufacturing, engineering, and industrial firms across European nations, using GuLoader malware—a tool known for its elusive delivery of remote access trojans (RATs).
This spear-phishing method often includes order-related inquiries, attaching a disguised archive file. Tara Gould, a researcher at Cado Security, explained, “These emails, originating from fake or compromised addresses, frequently hijack existing email threads to increase credibility.” The initial infection vector is a batch file within the archive that holds an obfuscated PowerShell script, which subsequently downloads and runs another PowerShell script from a remote server.
This secondary script allocates memory and executes GuLoader’s shellcode, which then proceeds to fetch additional payloads. Gould noted, “GuLoader continuously refines its techniques to stay undetected while delivering RATs, illustrating that threat actors are increasingly focusing on specific industries in particular countries. Its persistence emphasizes the necessity of proactive security defenses.”
These campaigns underscore the evolving strategies employed by cybercriminals, exploiting unsuspected vectors and blending legitimate tools to mask malicious intent. Organizations are encouraged to strengthen their defenses with proactive threat detection and awareness to counteract such sophisticated malware threats.