Cybercriminals have discovered a new method of hiding their nefarious activity on compromised machines, by using virtual machines (VMs), SecureWorks researchers warn.
In July 2016, the SecureWorks team observed an attacker creating a VM on a compromised computer and attempting to use it, most likely to avoid detection. The incident, SecureWorks explains, was observed while monitoring the “process creation activity for a client that had experienced a targeted breach.”
The researchers also reveal that the threat actor had already achieved a level of access on the compromised environment that allowed them to interact with the Windows Explorer shell via the Terminal Services Client. The security firm observed the attacker using the Microsoft Management Console (MMC) to launch Hyper-V Manager, a tool used to manage VMs.
A virtual machine is an operating system inside the operating system and allows users to test applications or perform various other actions out of the reach of security programs and without risking compromising an entire system. If broken, a VM can be simply deleted and replaced with another one within minutes.
Because security researchers use VMs to analyze malware, cybercriminals build VM detection mechanisms inside their malicious applications, to hinder analysis (some blacklist hundreds of security products for that). However, it appears that not all cybercriminals are avoiding virtual environments and that some have found a way to leverage them for their own benefit.
According to the SecureWorks researchers, after creating a new VM under the generic name of “New Virtual Machine,” the adversary used vmconnect.exe in an attempt to connect to it. An analysis of the system’s Windows Event Log files from July 28, 2016, clearly revealed that the threat actor was abusing the legitimate tools to create and access a VM on the compromised machine.
“The events show the adversary using the MMC to create and attempt to launch a new VM. When the new VM did not start, the threat actor deleted it. The system that the adversary had compromised was itself a VM and therefore could not launch a new one,” the researchers explains.
What this incident reveals, SecureWorks notes, is the lengths a threat actor is willing to go to hide their nefarious activities on a compromised system and to avoid detection. In the event that the attacker was successful in creating and accessing the virtual machine, they could have used it to conduct malicious activity and then remove all traces of it by simply deleting the VM when done.
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
- CISA, NSA Issue Guidance for IAM Administrators
