Security researchers recently unearthed a disturbing cybersecurity threat named Krasue, a remote access trojan (RAT) silently infiltrating Linux systems within telecommunications companies, maintaining undetected activity since 2021. Distinctive to Krasue is its binary structure housing seven variants of a rootkit adept at supporting various Linux kernel versions. Crafted from code borrowed from three open-source projects, this rootkit forms the crux of the malware’s stealth capabilities.
Analysts from cybersecurity firm unraveled Krasue’s primary function: sustaining persistent access to the host. Speculation arises suggesting potential deployment through a botnet or sale by initial access brokers to threat actors seeking specific targets. The RAT’s deployment strategy appears aimed at maintaining a foothold within a victim’s system during a later stage of an attack, enhancing its obscurity and persistence.
Unveiling Krasue’s distribution method remains elusive, potentially arriving post-exploitation via vulnerabilities, credential brute force assaults, or deceptive downloads masquerading as legitimate software. Notably, Krasue’s scope seems confined to telecommunications companies in Thailand, suggesting a targeted campaign within that sector.
A closer analysis exposed the embedded rootkit’s guise as an unsigned VMware driver once executed, operating at the kernel level, hence evading conventional detection and removal measures. With support for older Linux Kernel versions (2.6x/3.10.x), the rootkit capitalizes on the limited Endpoint Detection and Response coverage often found in outdated Linux servers, rendering its activities less conspicuous.
Underneath the hood, the researchers traced Krasue’s rootkit lineage to three open-source LKM rootkits: Diamorphine, Suterusu, and Rooty, dating back to at least 2017. Functionally, the Krasue rootkit empowers itself to manipulate ports, conceal processes, grant root privileges, execute kill commands on any process ID, and camouflage its tracks by concealing related files and directories.
A remarkable discovery revealed nine distinct Command-and-Control (C2) IP addresses hardcoded into the malware, one utilizing port 554 commonly associated with RTSP connections—a unique feature in the realm of C2 communication. The choice of the RTSP application-level network protocol for C2 communication stands as an unconventional approach, given its primary design for streaming media servers, possibly adding to Krasue’s distinctiveness.
Connecting threads between Krasue’s rootkit and that of another Linux malware, XorDdos, suggest potential commonalities between the two, hinting at a shared authorship or access to similar code bases.
Despite the mystery shrouding the identity of the threat actor behind Krasue, the researcher has disseminated indicators of compromise and YARA rules to aid in its detection, urging the cybersecurity community to contribute knowledge about this elusive malware.
Preventing Krasue’s stealthy infiltration demands a multifaceted approach. Organizations should prioritize robust cybersecurity practices, including regular system updates and patch management to address known vulnerabilities. Implementing stringent access controls, multi-factor authentication, and network segmentation can fortify defenses against credential brute force assaults and limit lateral movement within networks.