Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms

Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected systems.
The RAT, dubbed Krasue - named for a nocturnal native spirit in Southeast Asian folklore - uses a combination of stealthy techniques to fly under the radar, including the use of a rootkit that embeds seven compiled versions within it to support various versions of the Linux kernel, researchers from Group-IB reported in a blog post published Dec. 7.
The primary functionality of the RAT - which appeared on VirusTotal in 2021 but has never been publicly reported - is to maintain access to the host.
Krasue was likely created by the same author as the XorDdos Linux Trojan, or at least had access to the same source code, the researchers said.
RTSP is typically used to control the delivery of real-time media streams over IP networks, such as in video streaming and video-surveillance systems.
The method of gaining initial access to systems infected by Krasue is unclear, though likely pathways include vulnerability exploitation or credential brute-force attacks.
Another, albeit less likely, option for initial access could be that the RAT is downloaded as part of a deceptive package or binary - such as a fake product update - from a malicious third-party source, the researchers added.
While Group-IB observed the RAT being used mainly to target the telecom sector, the researchers believe that organizations in other verticals also were likely targets.
It's also likely that Krasue was deployed later in the attack chain once a cybercriminal already has intruded on a targeted network.
Keeping a Low Profile via Linux Rootkit Given its combination of stealthy characteristics, it's no surprise that Krasue RAT has lurked undetected for two years, the researchers said.
Some of these techniques lie in the use and functionality of the Krasue rootkit, which is a Linux Kernel Module, or an object file that can be dynamically loaded into the kernel at runtime.
On an infected system, the rootkit masquerades as a VMware driver without a valid digital signature.
Because of its nature as an LKM, the rootkit, which targets Linux kernel versions 2.6x/3.10.x, extends the functionality of the kernel without having to recompile or modify the entire kernel source code.
Another reason Krasue has managed to evade detection is that it uses UPX packing.
Packed malware samples typically are more difficult to detect by security solutions, and older Linux servers often have poor endpoint detection and response coverage anyway, the researchers said.
The RAT also enhances its evasion capabilities by daemonizing itself, running as a background process, and disregarding SIGINT signals, the last of which means that the malware remains unaffected by interruption signals sent when the user terminates the process by pressing Ctrl-C. Krasue also has features to obscure its communications with the command-and-control network, including using nine hardcoded IP addresses for its master C2 and its aforementioned use of RTSP for communication - which is rare for cybercriminals - among them, Low said.
Security Recommendations for Linux RATs Group-IB made a number of recommendations for security professionals to alert them of potential infection by Krasue RAT. One is to be on the lookout for anomalous RTSP traffic, which could alert to the existence of the malware on a system.
The researchers also recommended that organizations download software and packages only from trusted and official sources, using reputable repositories provided by their Linux distribution or verified third-party sources with a strong reputation for security.
Administrators also should enable kernel module signature verification by configuring the Linux kernel to only load signed modules.
Other security steps administrators can take to avoid compromise is to monitor system and network logs - regularly reviewing them for any suspicious activities - as well as to conduct periodic security audits.


This Cyber News was published on www.darkreading.com. Publication date: Thu, 07 Dec 2023 17:50:17 +0000


Cyber News related to Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms

Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms - Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected ...
11 months ago Darkreading.com
Krasue RAT Malware: A New Threat to Linux Systems - In the field of cybersecurity, a potent and covert threat called Krasue has surfaced. This remote access trojan has been silently infiltrating Linux systems, primarily targeting telecommunications companies since 2021. This blog post will explore ...
10 months ago Securityboulevard.com
The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
10 months ago Cyberdefensemagazine.com
Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
11 months ago Darkreading.com
Digital Battlefield: Syrian Threat Group's Sinister SilverRAT Emerges - Cyfirma claims that the developers maintain a sophisticated and active presence on multiple hacker forums and social media platforms, as outlined by the cybersecurity company. Besides operating a Telegram channel offering leaked databases, carding ...
9 months ago Cysecurity.news
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
7 months ago Cisa.gov
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
4 months ago
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
7 months ago Cisa.gov
CVE-2024-26957 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities - The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and ...
11 months ago Thehackernews.com
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets - A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan. The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in ...
11 months ago Darkreading.com
CVE-2024-26688 - In the Linux kernel, the following vulnerability has been resolved: fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super When configuring a hugetlb filesystem via the fsconfig() syscall, there is a possible NULL dereference in ...
7 months ago Tenable.com
FBI Shuts Down Warzone RAT; Cybercriminals Arrested - In a major victory against cybercrime, the FBI has successfully taken down the Warzone RAT malware operation. This operation led to the arrest of two individuals involved in the illicit activities. One of the suspects, 27-year-old Daniel Meli from ...
8 months ago Cysecurity.news
CVE-2022-48664 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
Gh0st rat - Gh0st RAT is a Trojan horse for the Windows platform. The “RAT” part of the name refers to the software’s ability to operate as a "Remote Administration Tool". It is a cyber spying computer program used to control infected Windows computers ...
11 months ago
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE - A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan that evades detection, partially by showing up as legitimate software. Threat actors previously have used the RAT ...
7 months ago Darkreading.com
Windows Incident Response: Human Behavior In Digital Forensics, pt II - Targeted Threat ActorI was working a targeted threat actor response, and while we were continuing to collect information for scoping, so we could move to containment, we found that on one day, from one endpoint, the threat actor pushed their RAT ...
10 months ago Windowsir.blogspot.com
Lifehacks for Analyzing Orcus Rat Data in 2023 - As the world of data becomes an increasingly integral part of our lives, it is important to understand how to analyze data from the Orcus Rat. This is because it can provide an even greater understanding of the trends in the market and how companies ...
1 year ago Thehackernews.com
SugarGh0st RAT Delivered via Malicious Windows & JavaScript - RATs allow threat actors to execute the following malicious actions while remaining hidden from the victim:-. Recently, cybersecurity researchers at Cisco Talos discovered a malicious campaign that was found to be delivering a new RAT that's been ...
11 months ago Cybersecuritynews.com
Silver RAT Evades Anti-viruses to Hack Windows Machines - Hackers use Remote Access Trojans to gain unauthorized access and control over a victim's computer remotely. These malicious tools allow hackers to perform various malicious activities like the following without the user's knowledge:-. Recently, ...
9 months ago Cybersecuritynews.com
FBI seizes Warzone RAT infrastructure, arrests malware vendor - The FBI dismantled the Warzone RAT malware operation, seizing infrastructure and arresting two individuals associated with the cybercrime operation. Daniel Meli, 27, a resident of Malta, was arrested last week for his role in the proliferation of ...
8 months ago Bleepingcomputer.com
BT's Successor Allison Kirkby CEO On 1 February - With current chief executive Philip Jansen stepping down at the end of the month, BT confirms February start for new boss. BT Group has confirmed the start date of its first female chief executive, who will lead the former UK telecoms incumbent from ...
9 months ago Silicon.co.uk
How Stealthy Python Rat Malware is Targeting Windows Systems - Cybersecurity experts have recently alerted Windows users to a new malware threat: a stealthy python-based RAT malware that is specifically targeting Windows systems. The malware, which has been dubbed “Python Rat” by security researchers, has ...
1 year ago Bleepingcomputer.com
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
1 year ago Trendmicro.com
CVE-2024-50106 - In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread ...
2 days ago Tenable.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)