Off-Topic > Off-Topic - The Funnies

Innovative TC usage, qemu windows malware

(1/1)

curaga:
https://www.bleepingcomputer.com/news/security/windows-infected-with-backdoored-linux-vms-in-new-phishing-attacks/

Even malware authors realize how nice TC is ;)
qemu.exe happens to be signed, they run TC inside qemu on windows and then connect back. The article shows they mastered the use of bootlocal and filetool.sh.

gadget42:
reminds of Rule 34

https://xkcd.com/305/

https://en.wikipedia.org/wiki/Rule_34

just sayin'

nick65go:
Innovative? yes; [very] easy to defend against it? YES!

The solutions are provided in the article already:
"To detect and block these attacks, consider placing monitors for processes like 'qemu.exe' executed from user-accessible folders, put QEMU and other virtualization suites in a blocklist, and disable or block virtualization in general on critical devices from the system BIOS"

The [main] problem is to suspect  /monitor that some process is eating the CPU energy. And to restrict common user rights [which is implicit in big corporations with proper qualified IT services].

PS: for my taste the kernel is still a little big for such an attack goal. I mean a KolibriOS with a kernel + OS of [100-320] KB could have more chance on private machines.
However on W11 the latest WSL2 (Windows Subsystem for Linux) has configuration parameters for global/individual VM (virtual machines) regarding firewall rules. Of course using WLS2; not qemu (which is mono-CPU). Why use qemu when WSL2 is "free" even for W10.

Navigation

[0] Message Index