The cybersecurity landscape has been shaken by the emergence of a new Linux remote access trojan (RAT) named Krasue. This malware has been identified as targeting telecommunications companies in Thailand since at least 2021, providing threat actors with covert access to victim networks. Group-IB, a cybersecurity firm, has released findings indicating the sophistication of this malware.
Named after a spirit from Southeast Asian folklore, Krasue is designed to obscure its presence during initial deployment, according to Group-IB’s analysis shared with The Hacker News. The means of initial access that threat actors use to deploy Krasue remain unclear, though potential methods include vulnerability exploitation, brute-force credential attacks, or inclusion in fraudulent software packages.
Krasue’s functionality largely stems from a rootkit that pretends to be an unsigned VMware driver, enabling it to maintain persistence without detection. This rootkit incorporates elements from open-source projects like Diamorphine, Suterusu, and Rooty, suggesting it could either serve as part of a botnet or be sold by initial access brokers targeting specific organizations such as ransomware operators seeking entry points into networks.
According to Sharmine Low, a malware analyst at Group-IB, the rootkit can manipulate the `kill()` syscall, along with network and file-related functions, to effectively conceal its operations. Such techniques are indicative of advanced persistence tactics commonly outlined in the MITRE ATT&CK framework, notably within the domains of initial access and persistence.
In a notable twist, Krasue utilizes Real-Time Streaming Protocol (RTSP) messages as a disguised “alive ping,” a tactic not commonly observed in cyberattacks. The malware’s command-and-control communication capabilities enable it to designate a communicating IP as its master server and further facilitates the gathering of malware-related intelligence or even its own termination.
Interestingly, there appears to be a code resemblance between Krasue and another Linux malware known as XorDdos. This similarity indicates that either the same developers are behind both malware or that cybercriminals had access to XorDdos’s source code. Group-IB has reported at least one confirmed case involving Krasue and is currently investigating three additional potential incidents. However, it is suspected that the actual number of affected organizations may be higher.
Group-IB’s analysts emphasize that there is insufficient information to definitively attribute Krasue to a specific creator or group. Nonetheless, the malware’s capacity to remain undetected for prolonged periods reinforces the critical need for businesses to maintain vigilance and strengthen their cybersecurity protocols.
