Hackers abuse QEMU to covertly tunnel network traffic in cyberattacks
Malicious actors were detected abusing the open-source hypervisor platform QEMU as a tunneling tool in a cyberattack against a large company. QEMU is a free emulator and hypervisor that allows you to run other operating systems as guests on a computer.
As part of the attack, threat actors used QEMU to create virtual network interfaces and a socket-type network device to connect to a remote server. This allowed the threat actors to create a network tunnel from the victim's system to the attacker's server with negligible impact on system performance.
This unusual case, which highlights the diverse methods attackers use to remain stealthy, was discovered by Kaspersky analysts who were called to investigate suspicious activity in the breached company's systems.