Cyberattack Uncovered: Network Tunneling with QEMU

In a sophisticated cyberattack targeting a major corporation, malefactors employed the open-source QEMU hypervisor platform as a tool for creating a network tunnel. QEMU, a free emulator and hypervisor, facilitates the operation of various operating systems as guest systems on a computer.

Kaspersky Lab analysts discovered that hackers utilized QEMU to forge virtual network interfaces and a socket-type network device to establish a connection to a remote server. Such maneuvers enabled the attackers to create a network tunnel with minimal impact on system performance, showcasing an unusual diversity in the methods cybercriminals employ to maintain stealth.

Network tunnels are designed to establish a covert and secure communication channel between hackers and the compromised system, typically encrypting traffic to circumvent firewalls and Intrusion Detection Systems (IDS).

Experts note that in 10% of cases investigated over the last three years, hackers have used tools like FRP and ngrok to create tunnels, among others. Due to frequent misuse, defenders and monitoring tools view such instruments with suspicion.

However, in this instance, the attackers chose a less conventional tool, requiring no traffic encryption, and launched with non-standard parameters, which did not arouse suspicion among monitoring tools. It is crucial to note that the absence of encryption allows for the analysis of transmitted data when traffic is intercepted. Despite using legitimate tools, such activity can be detected with specialized solutions for identifying and protecting against complex and targeted attacks.

QEMU offers unique capabilities, such as the emulation of a wide range of hardware and virtual networks, enabling hackers to disguise their activity as legitimate virtualization traffic and connect segmented parts of the network through strategically configured virtual machine footholds.

During the attack, hackers utilized the Angry IP Scanner for network scanning, mimikatz for credential theft, and QEMU for creating a complex network tunneling scheme, ensuring a hidden communication channel. Aiming to minimize their footprint, the attackers allocated only 1 MB of RAM for the created virtual machine, significantly reducing the chances of detection by resource consumption.

Leveraging QEMU, the malefactors established a network tunnel from a target internal host, which had no internet access, to a pivot host with internet access. This pivot host, in turn, connects to a C2 server in the cloud running a Kali Linux virtual machine.

Experiments with QEMU confirmed its efficacy as a tool for tunnel creation, allowing malefactors access to isolated systems within the corporate network. For instance, a successful connection to a system isolated from the internet via RDP demonstrates the practical applicability of this approach.

Kaspersky Lab recommends that companies adopt a multilayered protection strategy to detect the use of legitimate tools, including round-the-clock network monitoring, which may be cost-prohibitive for many small enterprises. Only comprehensive security, including network (NDR, NGFW) and endpoint monitoring (EDR, EPP) with SOC experts’ involvement, can timely detect anomalies and block an attack at its inception.