QEMU abused to evade detection and enable ransomware delivery
Summary
Attackers are leveraging QEMU to create hidden virtual machines, facilitating persistent access for credential harvesting, data exfiltration, and ransomware deployment. This technique has been observed in conjunction with the PayoutsKing ransomware and is linked to the GOLD ENCOUNTER threat group.
IFF Assessment
The use of QEMU for hidden VMs represents a novel evasion technique that makes it harder for defenders to detect malicious activity.
Defender Context
Defenders should be aware of attackers using QEMU to establish hidden VMs for persistent threats. Monitoring for unusual VM activity, unusual network traffic patterns, and anomalous process execution on endpoints and servers is crucial. This highlights the need for advanced threat hunting capabilities that can detect sophisticated evasion tactics.