Cyberattackers utilize legitimate tools to carry out attacks, allowing them to evade detection systems while keeping costs low. They use network tunnels and forward network ports to bypass security measures. In a recent incident, attackers deployed the Angry IP Scanner, mimikatz, and QEMU, a virtualizer normally used for testing. By running QEMU with specific arguments, attackers were able to create a network tunnel to access internal systems. The effectiveness of this technique was proven through a successful RDP connection. QEMU does not encrypt traffic, making it vulnerable to interception. Comprehensive security measures are necessary to detect and prevent such attacks.
https://securelist.com/network-tunneling-with-qemu/111803/