Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Attacker Uses Virtual Machine to Hide Malicious Activity

Cybercriminals have discovered a new method of hiding their nefarious activity on compromised machines, by using virtual machines (VMs), SecureWorks researchers warn.

Cybercriminals have discovered a new method of hiding their nefarious activity on compromised machines, by using virtual machines (VMs), SecureWorks researchers warn.

In July 2016, the SecureWorks team observed an attacker creating a VM on a compromised computer and attempting to use it, most likely to avoid detection. The incident, SecureWorks explains, was observed while monitoring the “process creation activity for a client that had experienced a targeted breach.”

The researchers also reveal that the threat actor had already achieved a level of access on the compromised environment that allowed them to interact with the Windows Explorer shell via the Terminal Services Client. The security firm observed the attacker using the Microsoft Management Console (MMC) to launch Hyper-V Manager, a tool used to manage VMs.

A virtual machine is an operating system inside the operating system and allows users to test applications or perform various other actions out of the reach of security programs and without risking compromising an entire system. If broken, a VM can be simply deleted and replaced with another one within minutes.

Because security researchers use VMs to analyze malware, cybercriminals build VM detection mechanisms inside their malicious applications, to hinder analysis (some blacklist hundreds of security products for that). However, it appears that not all cybercriminals are avoiding virtual environments and that some have found a way to leverage them for their own benefit.

According to the SecureWorks researchers, after creating a new VM under the generic name of “New Virtual Machine,” the adversary used vmconnect.exe in an attempt to connect to it. An analysis of the system’s Windows Event Log files from July 28, 2016, clearly revealed that the threat actor was abusing the legitimate tools to create and access a VM on the compromised machine.

“The events show the adversary using the MMC to create and attempt to launch a new VM. When the new VM did not start, the threat actor deleted it. The system that the adversary had compromised was itself a VM and therefore could not launch a new one,” the researchers explains.

What this incident reveals, SecureWorks notes, is the lengths a threat actor is willing to go to hide their nefarious activities on a compromised system and to avoid detection. In the event that the attacker was successful in creating and accessing the virtual machine, they could have used it to conduct malicious activity and then remove all traces of it by simply deleting the VM when done.

Related: Crisis Malware Able to Hijack Virtual Machines

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.