Silent Intruder: The Undetected Krasue RAT Malware Targeting Linux Systems Since 2021
A recently discovered remote access trojan (RAT) named Krasue has set its sights on Linux systems within the telecommunications sector, eluding detection since 2021.
Researchers from cybersecurity company Group-IB unraveled Krasue’s tactics, revealing its binary’s incorporation of seven rootkit variants compatible with multiple Linux kernel versions. This trojan, employing code derived from three open-source projects, primarily serves to sustain access to the host, hinting at potential deployment through a botnet or via initial access brokers for threat actors seeking specific targets.
While the distribution method remains unclear, possibilities include exploitation of vulnerabilities, credential brute force attacks, or even downloads from untrusted sources disguised as legitimate products.
Threat actor’s profile (Group-IB)
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The targeted scope of Krasue appears confined to telecommunications companies in Thailand.
Analysis by Group-IB disclosed that the rootkit embedded in Krasue RAT’s binary operates as a Linux Kernel Module (LKM), masquerading as an unsigned VMware driver upon execution. Operating at the kernel level, rootkits of this nature pose challenges in detection and removal, as they function at the same security level as the operating system.
The rootkit accommodates Linux Kernel versions 2.6x/3.10.x, exploiting the limited Endpoint Detection and Response coverage of older Linux servers. All seven rootkit versions share system call and function call hooking capabilities, adopting the common guise of “VMware User Mode Helper.”
Rootkit’s metadata (Group-IB)
Upon scrutiny of the code, researchers identified the rootkit’s foundation in three open-source LKM rootkits: Diamorphine, Suterusu, and Rooty, all in circulation since at least 2017.
Trending: Deep Dive to Fuzzing for Maximum Impact
Trending: Offensive Security Tool: ThreatMapper
The Krasue rootkit is equipped to hide or reveal ports, render processes invisible, grant root privileges, execute the kill command for any process ID, and conceal its traces by obscuring malware-related files and directories.
During communication with the command and control (C2) server, Krasue responds to various commands, including ping, master setup, info retrieval, restarts, and self-destruction.
Group-IB unearthed nine distinct C2 IP addresses hardcoded into the malware, with one utilizing port 554, unusual for C2 malware communication. Krasue employs the Real Time Streaming Protocol (RTSP) for C2 communication, an uncommon choice in this context.
While the malware’s origin remains elusive, researchers observed overlaps in the rootkit portion with another Linux malware called XorDdos, suggesting a potential common author/operator or shared code.
At present, the identity of the threat actor behind Krasue remains unknown. Group-IB has shared indicators of compromise and YARA rules to aid defenders in detecting this threat, with the hope that further research contributions will shed light on this mysterious malware.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
