Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected systems.
The RAT, dubbed Krasue - named for a nocturnal native spirit in Southeast Asian folklore - uses a combination of stealthy techniques to fly under the radar, including the use of a rootkit that embeds seven compiled versions within it to support various versions of the Linux kernel, researchers from Group-IB reported in a blog post published Dec. 7.
The primary functionality of the RAT - which appeared on VirusTotal in 2021 but has never been publicly reported - is to maintain access to the host.
Krasue was likely created by the same author as the XorDdos Linux Trojan, or at least had access to the same source code, the researchers said.
RTSP is typically used to control the delivery of real-time media streams over IP networks, such as in video streaming and video-surveillance systems.
The method of gaining initial access to systems infected by Krasue is unclear, though likely pathways include vulnerability exploitation or credential brute-force attacks.
Another, albeit less likely, option for initial access could be that the RAT is downloaded as part of a deceptive package or binary - such as a fake product update - from a malicious third-party source, the researchers added.
While Group-IB observed the RAT being used mainly to target the telecom sector, the researchers believe that organizations in other verticals also were likely targets.
It's also likely that Krasue was deployed later in the attack chain once a cybercriminal already has intruded on a targeted network.
Keeping a Low Profile via Linux Rootkit Given its combination of stealthy characteristics, it's no surprise that Krasue RAT has lurked undetected for two years, the researchers said.
Some of these techniques lie in the use and functionality of the Krasue rootkit, which is a Linux Kernel Module, or an object file that can be dynamically loaded into the kernel at runtime.
On an infected system, the rootkit masquerades as a VMware driver without a valid digital signature.
Because of its nature as an LKM, the rootkit, which targets Linux kernel versions 2.6x/3.10.x, extends the functionality of the kernel without having to recompile or modify the entire kernel source code.
Another reason Krasue has managed to evade detection is that it uses UPX packing.
Packed malware samples typically are more difficult to detect by security solutions, and older Linux servers often have poor endpoint detection and response coverage anyway, the researchers said.
The RAT also enhances its evasion capabilities by daemonizing itself, running as a background process, and disregarding SIGINT signals, the last of which means that the malware remains unaffected by interruption signals sent when the user terminates the process by pressing Ctrl-C. Krasue also has features to obscure its communications with the command-and-control network, including using nine hardcoded IP addresses for its master C2 and its aforementioned use of RTSP for communication - which is rare for cybercriminals - among them, Low said.
Security Recommendations for Linux RATs Group-IB made a number of recommendations for security professionals to alert them of potential infection by Krasue RAT. One is to be on the lookout for anomalous RTSP traffic, which could alert to the existence of the malware on a system.
The researchers also recommended that organizations download software and packages only from trusted and official sources, using reputable repositories provided by their Linux distribution or verified third-party sources with a strong reputation for security.
Administrators also should enable kernel module signature verification by configuring the Linux kernel to only load signed modules.
Other security steps administrators can take to avoid compromise is to monitor system and network logs - regularly reviewing them for any suspicious activities - as well as to conduct periodic security audits.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 07 Dec 2023 17:50:17 +0000