Hackers continue to have success at hiding malicious processes in VMs – that launch at startup but hide from EDR processes. The behaviour is not new, but deserves renewed attention. Fresh examples of its use as an attacker technique come from Microsoft, which has seen this behaviour during attacks on exposed SolarWinds Web Help Desk (WHD) instances in recent months.
Redmond, posting in February, was unable to identify which of a long string of recent WHD vulnerabilities was exploited to gain the initial beachhead. But it then saw hackers “creating a scheduled task to launch a QEMU virtual machine under the SYSTEM account at startup…hiding malicious activity within a virtualized environment while exposing SSH access via port forwarding.”
