Innovative TC usage, qemu windows malware

[curaga]

https://www.bleepingcomputer.com/news/security/windows-infected-with-backdoored-linux-vms-in-new-phishing-attacks/

Even malware authors realize how nice TC is
qemu.exe happens to be signed, they run TC inside qemu on windows and then connect back. The article shows they mastered the use of bootlocal and filetool.sh.

[gadget42]

reminds of Rule 34

https://xkcd.com/305/

https://en.wikipedia.org/wiki/Rule_34

just sayin'

[nick65go]

Innovative? yes; [very] easy to defend against it? YES!

The solutions are provided in the article already:
"To detect and block these attacks, consider placing monitors for processes like 'qemu.exe' executed from user-accessible folders, put QEMU and other virtualization suites in a blocklist, and disable or block virtualization in general on critical devices from the system BIOS"

The [main] problem is to suspect  /monitor that some process is eating the CPU energy. And to restrict common user rights [which is implicit in big corporations with proper qualified IT services].

PS: for my taste the kernel is still a little big for such an attack goal. I mean a KolibriOS with a kernel + OS of [100-320] KB could have more chance on private machines.
However on W11 the latest WSL2 (Windows Subsystem for Linux) has configuration parameters for global/individual VM (virtual machines) regarding firewall rules. Of course using WLS2; not qemu (which is mono-CPU). Why use qemu when WSL2 is "free" even for W10.