Attackers Use Emulated Linux Environment to Create Undetectable Backdoor
Security researchers from Securonix recently discovered a unique cyberattack. This new malware sets up an emulated Linux environment on compromised systems, functioning as a persistent backdoor. By hiding within the emulated environment, attackers bypass traditional detection methods, posing a serious security threat.
How the Attack Works: Overview of the New Backdoor Malware
According to Securonix, the attack starts with a phishing campaign that distributes a malicious .lnk
file. This file is disguised as a survey link from the company “OneAmerica.” Once clicked, it installs a lightweight Linux environment within QEMU, a virtual machine emulator. This emulated Linux environment includes a preconfigured backdoor, connecting the infected device to an external command-and-control (C2) server. Attackers can then operate undetected within the system.
Malicious .lnk File as Entry Point
The attack chain begins with a phishing email linking to a 285 MB.zip
file. The.zip
contains both the.lnk
file and QEMU setup files. When a victim opens the.lnk
file, it executes a PowerShell command that installs and launches the virtual environment.Persistence Through Emulation
Running silently in the background with the-nographic
switch, the QEMU process is renamed “fontdiag.exe” to blend in with legitimate software. Once activated, the emulated Linux environment hides itself, enabling attackers to execute commands remotely and remain active on the device.SSH Backdoor and HTTP Tunnel
The attackers set up an SSH-protected HTTP tunnel, which effectively bypasses firewalls. This configuration keeps the backdoor connected to the C2 server, allowing attackers to continually access the compromised device.
Evading Detection: Why This Attack Stands Out
QEMU’s use in research and software development makes this attack difficult to detect. Unlike other malware, QEMU’s presence on a machine does not typically raise alarms. This allows attackers a longer window to execute commands and transfer data without alerting antivirus or endpoint protection systems.
Indicators of Compromise (IOCs) and Protection Tips
Securonix has published indicators of compromise (IOCs) to help IT teams identify affected systems. They also suggest activating endpoint logging to detect unusual PowerShell usage and enabling process-level logging with Sysinternals Sysmon. This additional monitoring can help catch unapproved processes early.
Organizations need to stay vigilant against phishing and configure endpoint protection settings to log suspicious activity. By being aware of sophisticated attacks like this one, companies can better guard against future risks.
Click below and ‘share’ this article!