Security researchers have identified a new threat to Linux systems, the Krasue remote access trojan (RAT), which has been targeting telecommunications companies since 2021 without detection. The trojan’s binary incorporates seven variants of a rootkit based on code from open-source projects, making it difficult to identify and remove. Group-IB researchers, who discovered Krasue, suggest that its purpose is to maintain access to the host, possibly indicating involvement in a botnet or being sold by initial access brokers. The rootkit operates at the kernel level, posing a significant challenge for detection due to its integration with the operating system’s security. While the distribution method remains unclear, it may involve exploiting vulnerabilities, credential brute force attacks, or disguising itself as a legitimate product.
In-depth analysis by Group-IB revealed that Krasue’s rootkit is a Linux Kernel Module (LKM) masquerading as an unsigned VMware driver, enhancing its ability to remain undetected. The rootkit supports older Linux Kernel versions (2.6x/3.10.x), exploiting weak Endpoint Detection and Response coverage in older servers. It conceals its presence by hiding ports, processes, and malware-related files, showcasing a high level of sophistication. The trojan communicates with a command and control (C2) server, receiving various commands like ping, master, info, restart, respawn, and god die. Notably, Krasue stands out by using the Real Time Streaming Protocol (RTSP) for C2 communication, a unique choice in malware. Group-IB suggests that Krasue shares similarities with another Linux malware, XorDdos, indicating a potential common author or access to shared code.
To date, the threat actor behind Krasue remains unidentified. Group-IB has shared indicators of compromise and YARA rules to aid in detection. The trojan’s ability to operate stealthily, employing advanced rootkit techniques, highlights the evolving sophistication of Linux-targeting malware. The research underscores the need for enhanced security measures, especially for organizations in the telecommunications sector, to protect against these advanced and persistent threats.
Referral link
