{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/qemu/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","QEMU"],"_cs_severities":["high"],"_cs_tags":["qemu","virtualization","persistence","linux","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the suspicious execution of QEMU (Quick Emulator) on Windows systems. Attackers are leveraging QEMU, a legitimate open-source machine emulator and virtualizer, to establish persistence and potentially gain initial access. By executing QEMU with the \u003ccode\u003e-nographic\u003c/code\u003e flag along with an image file, the virtual machine operates in the background without a graphical display, making it less conspicuous to the user. This technique has been observed as a method to deploy rogue Linux virtual machines, which can then be used for various malicious activities. The securonix.com blog and bleepingcomputer.com news have reported on this technique being used in the wild.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, potentially through social engineering or exploiting existing vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQEMU Installation (or Existing):\u003c/strong\u003e The attacker either installs QEMU (if not already present) or leverages an existing installation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImage File Placement:\u003c/strong\u003e A malicious Linux image file (\u003ccode\u003e.img\u003c/code\u003e) is placed on the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence via Scheduled Task/Service:\u003c/strong\u003e The attacker creates a scheduled task or Windows service to execute QEMU automatically upon system startup or at specific intervals.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQEMU Execution:\u003c/strong\u003e The scheduled task or service executes QEMU with the \u003ccode\u003e-nographic\u003c/code\u003e flag and points to the malicious Linux image file. Example command: \u003ccode\u003eqemu-system-x86_64.exe -nographic -hda malicious.img\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRogue VM Initialization:\u003c/strong\u003e The Linux virtual machine boots in the background without any user interaction.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Activity within VM:\u003c/strong\u003e The rogue VM executes malicious scripts, downloads additional payloads, or establishes communication with a command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Exfiltration:\u003c/strong\u003e The attacker leverages the compromised VM as a staging point for lateral movement within the network or for exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent access to a compromised Windows system, potentially bypassing traditional security measures. The rogue Linux virtual machine provides a hidden environment for executing malicious activities, such as installing backdoors, conducting reconnaissance, or launching further attacks against the internal network. This can lead to data theft, system compromise, and significant disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious QEMU Execution\u0026rdquo; to detect QEMU processes running with the \u003ccode\u003e-nographic\u003c/code\u003e flag and an image file (see \u003ccode\u003erules\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for command lines containing \u0026ldquo;qemu\u0026rdquo; and \u0026ldquo;-nographic\u0026rdquo; to identify potential rogue VM deployments.\u003c/li\u003e\n\u003cli\u003eInvestigate any scheduled tasks or services that launch QEMU with the \u003ccode\u003e-nographic\u003c/code\u003e flag to determine their legitimacy.\u003c/li\u003e\n\u003cli\u003eReview and whitelist approved systems that legitimately run QEMU with the -nographic flag to reduce false positives as noted in the \u003ccode\u003eknown_false_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 logging to capture process creation events, providing the data needed for the Sigma rules (see \u003ccode\u003edata_source\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-suspicious-qemu-execution/","summary":"Detects the execution of QEMU with the -nographic flag and an image file on Windows systems, a technique used for persistence and initial access by installing a rogue Linux virtual machine.","title":"Suspicious QEMU Execution on Windows","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-qemu-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — QEMU","version":"https://jsonfeed.org/version/1.1"}