Hackers dodging security tools by dropping secret QEMU virtual machines inside Windows
Hackers are dodging Windows security tools by running secret Linux virtual machines with QEMU, an open-source virtualizer. Security researchers warn that hidden VMs enable long-term access, leading to stolen credentials and data, and to ransomware deployment.
Cybernews previously reported on Russian hackers abusing Microsoft’s own Hyper-V virtualization feature to drop hidden Linux virtual machines on targeted hosts. However, in enterprise configurations, this tool is often locked down or heavily monitored.
So hackers are now choosing another obscure approach.
Sophos, a security company, warns about active abuse of QEMU, an open-source machine emulator and virtualizer. Hackers are running an entire Linux environment inside Windows.
Malicious activities from inside a virtual machine are nearly invisible to endpoint security tools, like Windows Defender.
“Rather than deploying a pre-built toolkit, the attackers manually install and compile their full attack suite within the VM, including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, Metasploit, and supporting libraries for Python, Rust, Ruby, and C++,” Sophos said in a report detailing active exploitation campaigns.
Once again, the attackers rely on Alpine Linux, specifically version 3.22.0. Alpine is a stripped-down Linux distribution, which makes it incredibly small, just a few dozen megabytes, leaving a negligible footprint on host system resources.
This approach helps attackers to leave no trace – once they’re done, they simply shut down the VM, delete its image, and vanish.
“Attackers are drawn to QEMU and more common hypervisor-based virtualization tools like Hyper-V, VirtualBox, and VMware,” Sophos researchers said.
“Malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself.”
Two threat actors using this approach
One of the threat actors misusing QEMU is associated with the PayoutsKing ransomware deployment and tracked as STAC4713.
In several incidents, these hackers deployed QEMU as a covert reverse SSH backdoor and used it to deliver other malicious tools.
While the limited QEMU version can run even without administrator privileges, the attackers used a SYSTEM account to launch a VM, using a scheduled task. They disguised the disk image as a vault.db file, and later switched to obscure DLL libraries (birsv.dll).
The hackers’ VM creates a reverse SSH tunnel to a remote server, giving them full remote control over it. They also abused native Windows tools, such as Paint, Notepad, and Edge, for network share discovery and file access.
Another threat actor, tracked as STAC3725, in February deployed a QEMU VM and installed additional tools for conducting enumeration and credential theft.
The VM served attackers for downloading credentials, enumerating Kerberos usernames, performing Active Directory reconnaissance, and running FTP servers for payload staging or data exfiltration.
“The abuse of QEMU represents a growing evasion trend where threat actors leverage legitimate virtualization software to conceal malicious actions from endpoint protection agents and audit logs,” Sophos warns.
“A hidden VM with a pre-loaded or compiled attack toolkit can enable a threat actor to have long-term access to a network, providing the ability to deploy malware, harvest credentials, and move laterally without leaving evidence on the host itself.”
The conversation on this topic is live. Join in the discussion.
The researchers recommend IT teams audit their systems for unexpected QEMU installations and scheduled tasks, especially if they run under a SYSTEM account. Unusual port-forwarding rules targeting port 22 (SSH), as well as outbound SSH tunnels originating from non-standard ports, may also hint at potential malicious activity.
Defenders should also watch out for virtual disk images with uncommon file extensions, such as .db, .dll, or .qcow2.
Unlock more exclusive Cybernews content on YouTube.
