In their report, the researchers highlight the existence of numerous tools that facilitate the creation of a network tunnel between two systems. While some operate directly, others employ an intermediary server, enabling attackers to conceal their server’s IP address. Tools like ngrok and FRP were frequently used by attackers, collectively appearing in 10% of attacks.
Due to frequent misuse by hackers, monitoring tools and cybersecurity specialists have long been suspicious of these tools. Consequently, attackers are seeking alternative methods to address this challenge.
During the investigation of an incident at a large, unnamed company, researchers discovered atypical activities by the attackers. Analysis of artifacts revealed that the attackers deployed and used the following tools in the system:
Mimikatz, a program designed to extract passwords, password hash sums, and Kerberos tickets from the operating system's memory, as well as conduct various attacks on Active Directory;
QEMU, a program for emulating the hardware of various platforms.
The use of the first two programs was obvious, but the use of QEMU raised questions among researchers, as it was unclear why the attackers suddenly needed a virtualization environment.
It turned out that in this case, QEMU was used as a tool for creating network tunnels, which was unlikely to raise suspicions (even if it meant foregoing traffic encryption). Moreover, QEMU provides hackers with unique capabilities, including the emulation of a wide range of hardware and virtual networks, allowing malicious activity to blend in with regular virtualization traffic and connect segmented parts of the network.
In the studied attack, the hackers tried to leave as few traces as possible, allocating only 1 MB of RAM to the virtual machine, which significantly reduced the likelihood of its detection due to resource consumption.
The configuration of the virtual machine, launched without using a LiveCD or disk image, included the following parameters:
-netdev user,id=lan,restrict=off: creates a virtual network interface named lan with the type user, allowing the virtual machine to communicate with the outside world through the host's network stack. The option restrict=off means there are no restrictions on incoming and outgoing connections;
-netdev socket,id=sock,connect=:443: creates a network interface of type socket named sock, allowing connection to a remote server at the specified IP address and port 443;
-netdev hubport,id=port-lan,hubid=0,netdev=lan: adds a port to the virtual hub (with hubid=0) associated with the virtual network interface lan;
-netdev hubport,id=port-sock,hubid=0,netdev=sock: similarly, adds another port to the same virtual hub associated with the virtual network interface sock;
-nographic: launches QEMU without a graphical interface, using the console for output.
It was found that QEMU allows creating a network connection between virtual machines: the -netdev option is used to create network devices (backends) that can then be connected to virtual machines. Each network device (of which there are many) is defined by its type and may have additional parameters.
Ultimately, using QEMU, the attackers created a network tunnel from the target internal host, which had no internet access, to a host with internet access, which, in turn, connected to the attackers’ cloud server, where a virtual machine with Kali Linux was installed.
“The use of legitimate programs by attackers to perform various tasks during an attack is not news to those involved in incident response. However, it must be acknowledged that attackers sometimes find very original ways to use not-so-obvious programs, as was the case with QEMU. This is another argument in favor of the concept of multi-layered (tiered) defense, which includes, in addition to a reliable solution for endpoint protection, also specialized solutions for detecting and protecting against complex and targeted attacks, including those operated by humans. Only comprehensive protection, including round-the-clock monitoring of activity in the network (NDR, NGFW) and on endpoints (EDR, EPP), for example, by SOC experts, will allow anomalies to be detected in time and the attack to be blocked at an early stage,” conclude the experts.