Threat actors have been observed leveraging the open source hardware emulator QEMU as tunneling software during a cyberattack against an unnamed “large enterprise” to connect to their infrastructure.
While numerous legitimate tunneling tools such as Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU used for this purpose.
“We found that QEMU supports connections between virtual machines: the -netdev option creates network devices (backends) that can then connect to virtual machines,” said Kaspersky researchers Grigory Sablin, Alexander Rodchenko and Kirill Magaskin.
“Each of the numerous network devices is defined by its type and supports extra options.”
In other words, the idea is to create a virtual network interface and a socket network interface, thus allowing the virtual machine to communicate with any remote server.
The Russian cybersecurity firm said it was able to use QEMU to set up a network tunnel from an internal host within the corporate network that had no Internet access to a pivot host with Internet access, which connects to the attacker’s server on the cloud running the emulator.
The results show that threat actors continually diversify their attack strategies to blend malicious traffic with real activity and achieve their operational objectives.
“Malicious actors using legitimate tools to execute various attack stages is nothing new to incident response professionals,” the researchers said.
“This further supports the concept of multi-layered protection, which covers both reliable endpoint protection and specialized solutions for detecting and protecting against complex, targeted attacks, including those operated by humans.”