Next-Generation Technologies & Secure Development
,
Threat Intelligence
RAT Is Tailored to Exploit Vulnerabilities in Linux Kernel Versions
Hackers targeted telecommunications companies in Thailand with a Linux remote access Trojan designed to attack different versions of the open-source kernel, researchers say.
See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape
Cybersecurity researchers at Group-IB dubbed the Trojan “Krasue,” after a nocturnal spirit in Southeast Asian folklore.
Krasue poses a “severe risk to critical systems and sensitive data,” Group-IB researchers wrote, dating the malware to 2021 based on an upload to VirusTotal. Group-IB researchers don’t know the RAT’s initial access vector or the scale of its deployment by hackers.
The attackers deploy Krasue in the later stages of an attack chain, once they have secured access to victim hosts. Its core functionality is its persistence, suggesting that hackers sell access to infected machines as part of a botnet or as the wares of an initial access broker.
The RAT exploits the vulnerabilities of older Linux servers and networks that lack robust endpoint detection and response coverage. Its rootkit – the malware embeds seven compiled versions – exhibits traits of three open-source loadable kernel module rootkits: Diamorphine, Suterusu and Rooty. This amalgamation allows Krasue to support various Linux kernel versions. The rootkit masquerades as a VMware driver but doesn’t have a valid digital signature.
The RAT employs embedded rootkits tailored to exploit different versions of the Linux kernel. Drawing from three open-source Linux Kernel Module rootkits, Krasue hide its activities and evades detection. It hooks into critical system functions, including the kill()
command used to terminate processes, network-related functions and file listing operations.
It also uses real-time streaming protocol messages, disguised as “alive pings,” a tactic that Group-IB says is “rarely seen in the wild.”
The malware uses an open-source packing tool to wrap itself in a bid for concealment, and it also enhances its evasion capabilities by daemonizing itself – i.e., running as a background process. It ignores process interruption signals known as SIGINT that users can send by pressing ctrl + c.
Researchers also observed a connection to the XorDdos Linux Trojan documented by Microsoft in 2022.
Researchers said that the authors of XorDdos – or someone with the access to same source code used by the authors of XorDdos – likely created Krasue.