Connect with us

Hi, what are you looking for?


Cloud Security

Attacker Uses Virtual Machine to Hide Malicious Activity

Cybercriminals have discovered a new method of hiding their nefarious activity on compromised machines, by using virtual machines (VMs), SecureWorks researchers warn.

Cybercriminals have discovered a new method of hiding their nefarious activity on compromised machines, by using virtual machines (VMs), SecureWorks researchers warn.

In July 2016, the SecureWorks team observed an attacker creating a VM on a compromised computer and attempting to use it, most likely to avoid detection. The incident, SecureWorks explains, was observed while monitoring the “process creation activity for a client that had experienced a targeted breach.”

The researchers also reveal that the threat actor had already achieved a level of access on the compromised environment that allowed them to interact with the Windows Explorer shell via the Terminal Services Client. The security firm observed the attacker using the Microsoft Management Console (MMC) to launch Hyper-V Manager, a tool used to manage VMs.

A virtual machine is an operating system inside the operating system and allows users to test applications or perform various other actions out of the reach of security programs and without risking compromising an entire system. If broken, a VM can be simply deleted and replaced with another one within minutes.

Because security researchers use VMs to analyze malware, cybercriminals build VM detection mechanisms inside their malicious applications, to hinder analysis (some blacklist hundreds of security products for that). However, it appears that not all cybercriminals are avoiding virtual environments and that some have found a way to leverage them for their own benefit.

According to the SecureWorks researchers, after creating a new VM under the generic name of “New Virtual Machine,” the adversary used vmconnect.exe in an attempt to connect to it. An analysis of the system’s Windows Event Log files from July 28, 2016, clearly revealed that the threat actor was abusing the legitimate tools to create and access a VM on the compromised machine.

“The events show the adversary using the MMC to create and attempt to launch a new VM. When the new VM did not start, the threat actor deleted it. The system that the adversary had compromised was itself a VM and therefore could not launch a new one,” the researchers explains.

What this incident reveals, SecureWorks notes, is the lengths a threat actor is willing to go to hide their nefarious activities on a compromised system and to avoid detection. In the event that the attacker was successful in creating and accessing the virtual machine, they could have used it to conduct malicious activity and then remove all traces of it by simply deleting the VM when done.

Advertisement. Scroll to continue reading.

Related: Crisis Malware Able to Hijack Virtual Machines

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.