A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors who would first surreptitiously access the victim’s networks. -lease since 2021.
The exact initial access vector used to deploy Krasue is currently unknown, although it is suspected that it could be through vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary. The scale of the campaign is
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.
The core functions of the malware are accomplished through a rootkit that allows it to continue to operate on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty.
This raises the possibility that Krasue could be deployed as part of a botnet or sold by initial access brokers to other cybercriminals, such as ransomware partners, seeking to gain access to a specific target.
“The rootkit can hook into the `kill()` syscall, network-related functions, and file listing operations to hide its activities and evade detection,” Group-IB malware analyst Sharmine Low said.
“Especially, used by Krasue RTSP (Real Time Streaming Protocol) messages to serve as a disguised ‘live ping,’ a tactic rarely seen in the wild.
The trojan’s command-and-control (C2) communications further allow it to designate a communications IP as its master upstream C2 server, obtain information about the malware, and even terminate itself.
Krasue also shares many similarities in the source code of another Linux malware named XorDdos, indicating that it was created by the same author as the latter, or by actors with access to its source code.
“The information available is not enough to put forward a conclusive identification about the creator of Krasue, or the groups that exploit it in the wild, but the fact that these malicious programs can remain under the radar for long periods of time does this. It is clear that continued vigilance and better security measures are necessary,” said Low.