Krasue RAT malware hides on Linux servers using embedded rootkits

Trending 2 months ago

Krause Linux malware hides seven-version rootkit in its binary

Security advisers apparent a alien acceptance trojan they called Krasue that is targeting Linux systems of telecommunications companies and managed to abide undetected back 2021.

They found that Krasue's bifold includes seven variants of a rootkit that supports multiple Linux atom versions and is based on cipher from three open-source projects.

According to advisers at cybersecurity aggregation Group-IB, the capital action of the malware is to advance acceptance to the host, which may advance that it is deployed through a botnet or awash by antecedent acceptance brokers to blackmail actors gluttonous acceptance to a accurate target.

The advisers accept that the Krasue alien acceptance trojan (RAT) may be deployed during a after date of the advance accurately to advance acceptance to the victim host.

It is cryptic how the malware is actuality broadcast but it could be delivered afterwards base a vulnerability, afterward a credential animal force attack, or alike downloaded from an untrusted antecedent as a amalgamation or bifold impersonating a accepted product.

Krasue's targeting appears to be bound to telecommunications companies in Thailand.

Threat actor's profileThreat actor's profile (Group-IB)

Rootkits inside

Analysis from Group-IB appear that the rootkit inside Krasue RAT's bifold is a Linux Kernel Module (LKM) that masquerades as an bearding VMware disciplinarian afterwards actuality executed.

Kernel-level rootkits are difficult to ascertain and abolish because they accomplish at the aforementioned aegis akin as the operating system.

The rootkit supports Linux Kernel versions are 2.6x/3.10.x, which allows it to break beneath the alarm because earlier Linux servers about accept poor Endpoint Detection and Response coverage, the advisers say.

Group-IB begin that all seven anchored rootkit versions feature the aforementioned arrangement alarm and action alarm hooking capabilities and use the aforementioned affected “VMware User Mode Helper” name.

Rootkit's metadataRootkit's metadata (Group-IB)

Looking at the code, the advisers bent that the rootit is based on three open-source LKM rootkits, accurately Diamorphine, Suterusu, and Rooty, all of them accessible back at atomic 2017.

The Krasue rootkit can adumbrate or unhide ports, make processes invisible, accommodate basis privilege, and run the annihilate command for any action ID. It can additionally awning its traces by ambuscade malware-related files and directories.

When communicating with the command and ascendancy (C2) server, Krasue can access the afterward commands:

  • ping – Reply with `pong`
  • master – Set the adept upstream C2
  • info – Get advice about the malware: capital pid, adolescent pid, and its cachet such as “root: acquired basis permissions,” “god: action is clumsy to be killed,” “hidden: action is hidden,” “module: rootkit is loaded”
  • restart – Restart adolescent process
  • respawn – Restart capital process
  • god die – Kill itself

Group-IB apparent nine audible C2 IP addresses hardcoded into the malware, with one application anchorage 554, which is accepted in RTSP (Real Time Streaming Protocol) connections.

Using the RTPS application-level arrangement agreement for C2 malware communication is not too accepted and could be apparent as a aspect in the case of Krasue.

RTSP is a arrangement ascendancy agreement advised for alive media servers, allowance authorize and ascendancy media playback sessions for video and audio streams, media navigation, managing conferencing streams, and more.

Although the agent of Krasue malware is unknown, the advisers begin in the rootkit allocation some overlaps with the rootkit of addition Linux malware alleged XorDdos.

Group-IB believes this is an adumbration that the two malware families accept a accepted author/operator. It is additionally accessible that the developer of Krasue additionally had acceptance to the XorDdos code.

At this time, the blazon of blackmail abecedarian abaft Krause is still a abstruseness but the cybersecurity aggregation has aggregate indicators of accommodation and YARA rules to advice defenders ascertain this blackmail and maybe animate added advisers to broadcast what they apperceive about the malware.