Threat Actors With a New Tactic: Virtual Machines Used to Hide Malicious Actions

Cyber crooks have come up with yet another tactic to try hide their malicious activities, alarms SecureWorks.

Cybercriminals are now trying to install and launch a Virtual Machine (VM) so their threating actions could go undetected. Virtual Machines are emulated file systems mostly used for testing software products. They are usually embedded in other apps like a security software.

Most of the times, the VM complete with a fully-working Operating System running inside an already existing Operating System. In other words, they are an OS inside another OS, which allows Windows 98 or Linux to be launched just by clicking on their desktop icon.

Recently, a malware author attempted to install, what is called, a “New Virtual Machine” on a user`s PC. On 28th July this year, a SecureWorks` client noticed that their security platform detected some unusual threats.

When researchers requested more logs to analyze from the affected user`s sysadmin, they found out the log lines making their product trigger a warning.

“The adversary had achieved a level of access that allowed them to interact with the Windows Explorer shell via the Terminal Services Client.” – SecureWorks Counter Threat Unit (CTU) researchers stated – “Figure 1 shows the threat actor using the Microsoft Management Console (MMC) to launch the Hyper-V Manager, which is used to manage Microsoft’s virtual machine (VM) infrastructure.”

The threat actor tried to install a virtual machine on the victim`s PS, but, luckily for them, the machine the crook managed to gain access to was already a VM itself, and VMs can`t be installed in each other.

In spite of failing in their attempt, the crook once again proved how innovative cybercriminals can get. As it seems, a new tactic has appeared which can be leveraged in favor of malicious actors.

Even though they didn’t succeed this first time, the VM plan is actually quite clever. If they have succeeded in installing and launching the VM, they would have been able to establish a connection with it and perform their dangerous actions without being disturbed by security products.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.