Threat actors have been seen using the QEMU open-source hardware emulator as tunneling software in a recent cyber attack against a large company to access their infrastructure.
Various legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by attackers in the past, but this is the first instance of QEMU being used for this purpose.
“We discovered that QEMU allowed for connections between virtual machines, creating network devices (backend) that can connect to the virtual machines,” said Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin explained.
“Each network device is defined by its type and supports additional options.”
In essence, the goal is to establish a virtual network interface and a socket-type network interface, enabling the virtual machine to communicate with a remote server.
The researchers at the Russian cybersecurity firm successfully set up a network tunnel using QEMU from an internal host on the enterprise network without internet access to a pivot host with internet access, which then connects to the attacker’s server on the cloud running the emulator.
This discovery highlights how threat actors are evolving their attack tactics to disguise malicious traffic as legitimate activity to achieve their goals.
“Using legitimate tools for malicious purposes is not new to cybersecurity professionals,” noted the researchers.
“This emphasizes the need for multi-layered protection involving both robust endpoint security and specialized solutions to detect and defend against complex and targeted attacks, including those carried out by human operators.”