Krasue RAT Malware: A New Threat to Linux Systems

In the field of cybersecurity, a potent and covert threat called Krasue has surfaced.
This remote access trojan has been silently infiltrating Linux systems, primarily targeting telecommunications companies since 2021.
This blog post will explore Krasue RAT, its origins, functionalities, and the ongoing efforts to combat its elusive nature.
It operates through a sophisticated rootkit comprising seven variants, each drawing its foundation from three different open-source projects.
This allows the malware to adapt to different Linux kernel versions, making identification and removal challenging.
Security researchers at Group-IB said that the primary objective of Krasue RAT is to maintain access to the host system.
It might be distributed via a botnet or sold by initial access brokers to threat actors who want to target specific systems.
Krasue's deployment strategy is yet unknown; possible approaches include credential brute force assaults, exploiting vulnerabilities, or disguising distribution through unreliable sources that pretend to be trustworthy packages or binaries.
Krasue's target is primarily focused on telecom firms, especially those in Thailand.
It's unknown why this particular target was chosen, raising concerns about possible consequences for critical infrastructure.
Group-IB discovered that Krasue's rootkit is a Linux Kernel Module posing as an unsigned VMware driver once executed.
That means it is a kernel-level rootkit, which makes detection and removal challenging as it operates within the same security level as the operating system.
This sneaky malware mostly affects older Linux servers with poor Endpoint Detection and Response coverage.
Among the many features that Krasue RAT offers include the ability to hide ports and processes, grant root privileges, and carry out the kill command for any process ID. Its use of the Real Time Streaming Protocol for communication with command and control servers is noteworthy; this is not a choice that is often associated with malware of this kind.
Due to Group-IB's analysis, the details of this remote access trojan have been clarified, providing critical signs of compromise and YARA rules.
Scientists have discovered nine different C2 IP addresses hardcoded into Krasue, one of which uses port 554, which is frequently connected to RTSP connections.
This odd choice in communication technique highlights the special qualities of Krasue RAT. Moreover, similarities to XorDdos, another Linux malware, point to a possible shared author/operator or piece of code.
The sources for this article include a story from BleepingComputer.
This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina.


This Cyber News was published on securityboulevard.com. Publication date: Wed, 20 Dec 2023 13:43:49 +0000


Cyber News related to Krasue RAT Malware: A New Threat to Linux Systems

Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms - Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected ...
1 year ago Darkreading.com
Krasue RAT Malware: A New Threat to Linux Systems - In the field of cybersecurity, a potent and covert threat called Krasue has surfaced. This remote access trojan has been silently infiltrating Linux systems, primarily targeting telecommunications companies since 2021. This blog post will explore ...
1 year ago Securityboulevard.com
The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
1 year ago Cyberdefensemagazine.com
Digital Battlefield: Syrian Threat Group's Sinister SilverRAT Emerges - Cyfirma claims that the developers maintain a sophisticated and active presence on multiple hacker forums and social media platforms, as outlined by the cybersecurity company. Besides operating a Telegram channel offering leaked databases, carding ...
11 months ago Cysecurity.news
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
Any.RUN Sandbox Now Expanded to Analyze Linux Malware - The ANY.RUN sandbox has now been updated with support for Linux, further enhancing its ability to provide an isolated and secure environment for malware analysis and threat hunting. ANY.RUN allows malware analysts, SOC members, and DFIR team members ...
10 months ago Gbhackers.com
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets - A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan. The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in ...
1 year ago Darkreading.com
SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities - The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and ...
1 year ago Thehackernews.com
PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
10 months ago Securityintelligence.com
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
9 months ago Cisa.gov
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
9 months ago Cisa.gov
How Stealthy Python Rat Malware is Targeting Windows Systems - Cybersecurity experts have recently alerted Windows users to a new malware threat: a stealthy python-based RAT malware that is specifically targeting Windows systems. The malware, which has been dubbed “Python Rat” by security researchers, has ...
1 year ago Bleepingcomputer.com
Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
5 months ago Pandasecurity.com
FBI seizes Warzone RAT infrastructure, arrests malware vendor - The FBI dismantled the Warzone RAT malware operation, seizing infrastructure and arresting two individuals associated with the cybercrime operation. Daniel Meli, 27, a resident of Malta, was arrested last week for his role in the proliferation of ...
10 months ago Bleepingcomputer.com
How to Remove Malware + Viruses - Malware removal can seem daunting after your device is infected with a virus, but with a careful and rapid response, removing a virus or malware program can be easier than you think. We created a guide that explains exactly how to rid your Mac or PC ...
8 months ago Pandasecurity.com
February 2024's Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign - Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to ...
9 months ago Blog.checkpoint.com
Windows Incident Response: Human Behavior In Digital Forensics, pt II - Targeted Threat ActorI was working a targeted threat actor response, and while we were continuing to collect information for scoping, so we could move to containment, we found that on one day, from one endpoint, the threat actor pushed their RAT ...
11 months ago Windowsir.blogspot.com
FBI Shuts Down Warzone RAT; Cybercriminals Arrested - In a major victory against cybercrime, the FBI has successfully taken down the Warzone RAT malware operation. This operation led to the arrest of two individuals involved in the illicit activities. One of the suspects, 27-year-old Daniel Meli from ...
10 months ago Cysecurity.news
New NKAbuse malware abuses NKN blockchain for stealthy comms - A new Go-based multi-platform malware identified as 'NKAbuse' is the first malware abusing NKN technology for data exchange, making it a stealthy threat. NKN is a relatively new decentralized peer-to-peer network protocol leveraging blockchain ...
1 year ago Bleepingcomputer.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
How to Extract Malware Configurations in a Sandbox - The most sought-after source of these indicators is malware configurations. Malware Sandboxing Leader ANY.RUN handles the heavy lifting of phishing and malware analysis for SOC and DFIR teams and also helps 300,000 professionals use the platform to ...
10 months ago Gbhackers.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)