Blog Post

The Human Connection Blog
1 MIN READ

New CTI Lab: CRON#TRAP – Linux Environment Emulation

BenMcCarthy's avatar
BenMcCarthy
Icon for Immerser rankImmerser
2 months ago

Today, we have released a brand new lab on how a malicious actor has been gaining access to endpoints through the use of phishing and a virtual machine. You will analyze how the technique works and what information is quickly available for indicators of compromise!

On November 4, 2024, Securonix published research and identified a novel attack chain where attackers deploy a custom Linux machine using the QEMU emulation service to persist on endpoints, allowing them to run commands and deliver malware.

Why have we created this content?
Given that this technique is quite new and novel, this content was created to educate users on how legitimate tooling, like virtual environments, can be abused by attackers. When the user is tricked into opening a .lnk file, the virtual machine starts and mounts to the host, giving backdoor access to an endpoint that almost acts as a proxy.

What are we publishing?
All customers on a CyberPro License have immediate access to a new lab.

Who is this content for?
This lab is focused on upskilling and increasing the defensive capabilities of the following roles:

  • Incident Responders
  • Threat Hunters
  • Malware Analysts
Updated 2 months ago
Version 1.0