Cybercriminals have discovered a new method of hiding their nefarious activity on compromised machines, by using virtual machines (VMs), SecureWorks researchers warn.
In July 2016, the SecureWorks team observed an attacker creating a VM on a compromised computer and attempting to use it, most likely to avoid detection. The incident, SecureWorks explains, was observed while monitoring the “process creation activity for a client that had experienced a targeted breach.”
The researchers also reveal that the threat actor had already achieved a level of access on the compromised environment that allowed them to interact with the Windows Explorer shell via the Terminal Services Client. The security firm observed the attacker using the Microsoft Management Console (MMC) to launch Hyper-V Manager, a tool used to manage VMs.
A virtual machine is an operating system inside the operating system and allows users to test applications or perform various other actions out of the reach of security programs and without risking compromising an entire system. If broken, a VM can be simply deleted and replaced with another one within minutes.
Because security researchers use VMs to analyze malware, cybercriminals build VM detection mechanisms inside their malicious applications, to hinder analysis (some blacklist hundreds of security products for that). However, it appears that not all cybercriminals are avoiding virtual environments and that some have found a way to leverage them for their own benefit.
According to the SecureWorks researchers, after creating a new VM under the generic name of “New Virtual Machine,” the adversary used vmconnect.exe in an attempt to connect to it. An analysis of the system’s Windows Event Log files from July 28, 2016, clearly revealed that the threat actor was abusing the legitimate tools to create and access a VM on the compromised machine.
“The events show the adversary using the MMC to create and attempt to launch a new VM. When the new VM did not start, the threat actor deleted it. The system that the adversary had compromised was itself a VM and therefore could not launch a new one,” the researchers explains.
What this incident reveals, SecureWorks notes, is the lengths a threat actor is willing to go to hide their nefarious activities on a compromised system and to avoid detection. In the event that the attacker was successful in creating and accessing the virtual machine, they could have used it to conduct malicious activity and then remove all traces of it by simply deleting the VM when done.