Threat actors were seen using the QEMU open-source hardware emulator as tunneling software to connect to the infrastructure of an undisclosed “large company” during a cyber assault.

While attackers have used a variety of genuine tunneling programs such as Chisel, FRP, ligolo, ngrok, and Plink, this is the first time a QEMU has been utilized in this manner.

“We discovered that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines,” Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin said.

“Each of the numerous network devices is defined by its type and supports extra options.”

In other words, the goal is to provide both a virtual network interface and a socket-type network interface, enabling the virtual machine to connect with any remote server.

The Russian cybersecurity firm said that it was able to utilize QEMU to create a network tunnel from an internal system inside the business network that did not have internet access to a pivot host with internet access, which links to the attacker’s server in the cloud that runs the emulator.

The data reveal that threat actors are constantly evolving their attack techniques in order to mix harmful traffic with legitimate activity and achieve their operational objectives.

“Malicious actors using legitimate tools to perform various attack steps is nothing new to incident response professionals,” claimed the authors of the study.

“This further supports the concept of multi-level protection, which covers both reliable endpoint protection, and specialized solutions for detecting and protecting against complex and targeted attacks including human-operated ones.”

source