‘Krasue’ Linux RAT Targets Organizations in Thailand


Next-Generation Technologies & Secure Development
Threat Intelligence

RAT Is Tailored to Exploit Vulnerabilities in Linux Kernel Versions

'Krasue' Linux RAT Targets Organizations in Thailand
A remote access Trojan dubbed “Krasue” is targeting Thai organizations. (Image of Bangkok metro train in 2018: Shutterstock)

Hackers targeted telecommunications companies in Thailand with a Linux remote access Trojan designed to attack different versions of the open-source kernel, researchers say.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

Cybersecurity researchers at Group-IB dubbed the Trojan “Krasue,” after a nocturnal spirit in Southeast Asian folklore.

Krasue poses a “severe risk to critical systems and sensitive data,” Group-IB researchers wrote, dating the malware to 2021 based on an upload to VirusTotal. Group-IB researchers don’t know the RAT’s initial access vector or the scale of its deployment by hackers.

The attackers deploy Krasue in the later stages of an attack chain, once they have secured access to victim hosts. Its core functionality is its persistence, suggesting that hackers sell access to infected machines as part of a botnet or as the wares of an initial access broker.

The RAT exploits the vulnerabilities of older Linux servers and networks that lack robust endpoint detection and response coverage. Its rootkit – the malware embeds seven compiled versions – exhibits traits of three open-source loadable kernel module rootkits: Diamorphine, Suterusu and Rooty. This amalgamation allows Krasue to support various Linux kernel versions. The rootkit masquerades as a VMware driver but doesn’t have a valid digital signature.

The RAT employs embedded rootkits tailored to exploit different versions of the Linux kernel. Drawing from three open-source Linux Kernel Module rootkits, Krasue hide its activities and evades detection. It hooks into critical system functions, including the kill() command used to terminate processes, network-related functions and file listing operations.

It also uses real-time streaming protocol messages, disguised as “alive pings,” a tactic that Group-IB says is “rarely seen in the wild.”

The malware uses an open-source packing tool to wrap itself in a bid for concealment, and it also enhances its evasion capabilities by daemonizing itself – i.e., running as a background process. It ignores process interruption signals known as SIGINT that users can send by pressing ctrl + c.

Researchers also observed a connection to the XorDdos Linux Trojan documented by Microsoft in 2022.

Researchers said that the authors of XorDdos – or someone with the access to same source code used by the authors of XorDdos – likely created Krasue.


Source link

One reply on “‘Krasue’ Linux RAT Targets Organizations in Thailand”

Even though I am a regular blogger, I have to tell that I absolutely appreciate reading your blogs. The article has aroused my interest in reading more about it. Your blog is going to be added to my bookmarks, and I will return to it in the future to look for new stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *