CTI Roundup: Sophos vs. Chinese Threat Actors, CRON#TRAP Linux VM, Bing Phishing Campaign

This week, CTI covers the ongoing battle between Sophos and multiple Chinese threat actors. Next up, CTI investigates a new campaign called CRON#TRAP that begins with a simple phishing email. Finally, CTI wraps up with an overview of a new phishing campaign that seeks out banking credentials using Microsoft Bing.

Sophos battles multiple Chinese threat actors

Sophos recently disclosed details of their ongoing battle against multiple Chinese threat actors. For more than five years, actors have targeted networking devices globally, including those from Sophos. The firm attributed certain clusters of activity to actors, including Volt Typhoon, APT31, and APT41.

[Read also: APT? IOCs? LOLBins? 15 Cybersecurity Terms You (and Your CEO) Ought to Know by Now]

Evolving attacker behaviors

Sophos identified three main evolving attacker behaviors:

1. The first is a shift in focus from widespread noisy attacks that were opportunistic with targeting to stealthier attacks against specific targets.
2. The second observation is in the evolution of stealth and persistence, with an increased focus on living off the land, backdoored Java classes, and memory-only trojans.
3. The final observation is in operations security (OPSEC) improvements.

Initial intrusion and reconnaissance

The first observed attack, which occurred in 2018, was not against a network device but a Sophos facility in India. The attack leveraged a complex rootkit, later dubbed Cloud Snooper, and a technique to pivot into cloud infrastructure via misconfigured AWS SSM agents.

At the time, the attack was not attributed to a particular actor. Now, researchers believe this attack was a Chinese effort to gather intelligence to aid further attacks and create malware to target network devices.

Shifting to stealth

In 2022, the actors changed tactics to be more targeted and focused on specific sectors. The attacks used diverse TTPs and more of an active adversary approach instead of automation involving the manual execution of commands and malware. Stealthy persistence techniques and the exploitation of CVEs were used throughout these attacks.

Improvements in OPSEC

These actors have become increasingly better at hiding their activities by blocking the sending of data from the devices to Sophos. Starting in 2020, the actors tried to sabotage the hotfix mechanism of compromised devices and later started targeting the telemetry system of devices. Overall, the operation security practices improved over time.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Chinese state-sponsored threat actors have long been a threat, especially as they tend to share tooling and techniques with each other. Sophos explains these actors are “well-resourced, patient, creative, and unusually knowledgeable about the internal architecture of the device firmware.”

Edge network devices are likely to continue to remain high-value targets for actors.

CRON#TRAP infects Windows with a Linux VM

In a campaign called CRON#TRAP, a threat actor uses phishing emails to deploy a custom-made emulated quick emulator (QEMU) Linux box.

According to Securonix, an LNK file within the phishing email will initiate the Linux environment that emulates QEMU. The Linux instance in the attack comes with a preconfigured backdoor to automatically connect to the actor’s C2 server.

Initial infection

Though not confirmed, Securonix believes the attack started with a phishing email containing a link to download a .zip file. The .zip file itself was survey-themed and large at 285MB.

Once the victim extracts the file, they are shown a shortcut and a “data” directory containing the QEMU installation directory. The shortcut file links to PowerShell and executes a command to extract the downloaded file and execute a batch file. This batch file displays a fake server error to the user while executing the QEMU process to initiate the Linux environment.

Lure document/QEMU

A fake server error appears to the victim as a convincing lure. While the QEMU process was renamed, it is legitimate and digitally signed with a valid certificate.

PivotBox – attacker’s Linux environment

Securonix was able to interact with the operating system because auto-login was enabled. The message banner displays “PivotBox” and an “options” command. This options command displays two commands to interact with the host.

By default, Linux stores a log of all executed commands inside the user’s profile directory. Researchers were able to track down a record of what commands were used, meaning that this actor lacked some basic operational security and did not clear the history.

A full list of the commands can be found in Securonix’s report. At a high level, there were commands to install tools, manipulate and execute payloads, establish persistence, exfiltrate data, and more.

Chisel

A binary gets executed when the Linux QEMU instance starts up. Researchers determined this binary is a “pre-configured Chisel client designed to connect to a remote C2 server via WebSockets.”

Analyst comments from Tanium’s Cyber Threat Intelligence team

This campaign rapidly escalated from a simple phishing email to an emulated Linux environment. This isn’t the first time an actor has abused QEMU, but it does appear to be one of the first times it’s been abused for things outside of crypto mining.

The fact that the campaign likely begins with phishing can allow defenders and end users to identify the threat before it goes too far.

Threat actors leverage Bing for phishing

Malwarebytes recently identified a new phishing campaign that seeks banking credentials. The campaign targets victims with the help of malvertising, specifically on Microsoft’s Bing search engine.

The phishing pages are returned on the first page of results and, in some cases, as the top search results.

Malwarebytes identified the phishing campaign on November 29. If a user searches for “KeyBank login” using Bing, the first result is a malicious link that pretends to be the legitimate KeyBank login site. The domain was registered roughly two weeks prior.

Indexing and cloaking

Web crawlers and scanners visiting the malicious link are led to a site intended for users the threat actor is not interested in These crawlers and scanners scrape and index the content of this page and identify it as a clean page. However, victims are immediately redirected to the true malicious site based on user attributes, including IP address.

The true phishing site uses legitimate KeyBank branding and closely mimics the true login page. Filling out the form on this site immediately sends the data to the threat actor.

Bypassing MFA

Many phishing campaigns attempt to bypass multifactor authentication (MFA). In this campaign, the phishing page displays a message to the victim that their internet connection is poor. This message is a distraction to hide what’s really happening.

Behind the scenes, the actor logs into the victim’s account and is prompted for an MFA code. On another screen, the victim is asked to enter the one-time passcode, which is immediately sent to the threat actor.

Taking it one step further, this phishing campaign also asks the victim to enter/answer their security questions. The threat actor can further abuse this information.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Although this campaign is specific to Bing, similar phishing schemes are now being conducted across most search engines.

One thing that Malwarebytes points out is how quickly a malicious site can make its way to the top of the search results. In this case, it took just two weeks to be displayed ahead of the legitimate bank website.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.