Krasue RAT Malware: A New Threat to Linux Systems
In the field of cybersecurity, a potent and covert threat called Krasue has surfaced. This remote access trojan has been silently infiltrating Linux systems, primarily targeting telecommunications companies since 2021. This blog post will explore Krasue RAT, its origins, functionalities, and the ongoing efforts to combat its elusive nature.
Krasue RAT Attack Details
It operates through a sophisticated rootkit comprising seven variants, each drawing its foundation from three different open-source projects. This allows the malware to adapt to different Linux kernel versions, making identification and removal challenging.
Security researchers at Group-IB said that the primary objective of Krasue RAT is to maintain access to the host system. It might be distributed via a botnet or sold by initial access brokers to threat actors who want to target specific systems.
Krasue’s deployment strategy is yet unknown; possible approaches include credential brute force assaults, exploiting vulnerabilities, or disguising distribution through unreliable sources that pretend to be trustworthy packages or binaries.
Linux System Telecommunication Targeted
Krasue’s target is primarily focused on telecom firms, especially those in Thailand. It’s unknown why this particular target was chosen, raising concerns about possible consequences for critical infrastructure.
Group-IB discovered that Krasue’s rootkit is a Linux Kernel Module (LKM) posing as an unsigned VMware driver once executed. That means it is a kernel-level rootkit, which makes detection and removal challenging as it operates within the same security level as the operating system. This sneaky malware mostly affects older Linux servers with poor Endpoint Detection and Response coverage.
Among the many features that Krasue RAT offers include the ability to hide ports and processes, grant root privileges, and carry out the kill command for any process ID. Its use of the Real Time Streaming Protocol (RTSP) for communication with command and control servers is noteworthy; this is not a choice that is often associated with malware of this kind.
Due to Group-IB’s analysis, the details of this remote access trojan have been clarified, providing critical signs of compromise and YARA rules. Scientists have discovered nine different C2 IP addresses hardcoded into Krasue, one of which uses port 554, which is frequently connected to RTSP connections. This odd choice in communication technique highlights the special qualities of Krasue RAT. Moreover, similarities to XorDdos, another Linux malware, point to a possible shared author/operator or piece of code.
The sources for this article include a story from BleepingComputer.