Cybersecurity researchers have discovered a sophisticated malware campaign, CRON#TRAP, which evades antivirus detection on Windows by leveraging a hidden Linux virtual machine with a backdoor for remote access.
The malware initiates its infection with a Windows shortcut (LNK) file, often delivered through a phishing email as a ZIP archive. This email may impersonate legitimate organizations, enticing users to open what appears to be a survey file.
Upon activation, the LNK file extracts and launches a custom, lightweight Linux environment through QEMU, an open-source virtualization tool, allowing the malware to establish a concealed presence on the infected Windows system.
Within this virtual machine, CRON#TRAP is preconfigured with a backdoor connecting to a remote command-and-control (C2) server. The malware also uses the Chisel tunneling utility to facilitate undetected remote access to the host machine, making it challenging for traditional antivirus programs to identify and neutralize.
In addition to QEMU, CRON#TRAP employs PowerShell commands to execute a script that displays a fake error message, misleading the user into believing that the survey link is broken.
Meanwhile, the malware has already established a connection through the Chisel client, enabling attackers to remotely control the infected host.
This sophisticated campaign exemplifies how threat actors continuously refine their techniques to bypass security measures. Cybersecurity experts warn that spear-phishing campaigns, which also involve malicious file attachments, are increasingly targeting industries such as electronic manufacturing, engineering, and industrial companies across Europe.
For example, a recent campaign using GuLoader malware has been distributing malicious attachments through phishing emails, aiming to install remote-access Trojans (RATs) by leveraging obfuscated PowerShell scripts that ultimately load additional payloads.
To defend against advanced malware like CRON#TRAP, organizations should reinforce email security through phishing detection systems. Implementing multi-layered endpoint security can further reduce the risk of infection.