Next-Generation Technologies & Secure Development , Threat Intelligence

'Krasue' Linux RAT Targets Organizations in Thailand

RAT Is Tailored to Exploit Vulnerabilities in Linux Kernel Versions
'Krasue' Linux RAT Targets Organizations in Thailand
A remote access Trojan dubbed "Krasue" is targeting Thai organizations. (Image of Bangkok metro train in 2018: Shutterstock)

Hackers targeted telecommunications companies in Thailand with a Linux remote access Trojan designed to attack different versions of the open-source kernel, researchers say.

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

Cybersecurity researchers at Group-IB dubbed the Trojan "Krasue," after a nocturnal spirit in Southeast Asian folklore.

Krasue poses a "severe risk to critical systems and sensitive data," Group-IB researchers wrote, dating the malware to 2021 based on an upload to VirusTotal. Group-IB researchers don't know the RAT's initial access vector or the scale of its deployment by hackers.

The attackers deploy Krasue in the later stages of an attack chain, once they have secured access to victim hosts. Its core functionality is its persistence, suggesting that hackers sell access to infected machines as part of a botnet or as the wares of an initial access broker.

The RAT exploits the vulnerabilities of older Linux servers and networks that lack robust endpoint detection and response coverage. Its rootkit - the malware embeds seven compiled versions - exhibits traits of three open-source loadable kernel module rootkits: Diamorphine, Suterusu and Rooty. This amalgamation allows Krasue to support various Linux kernel versions. The rootkit masquerades as a VMware driver but doesn't have a valid digital signature.

The RAT employs embedded rootkits tailored to exploit different versions of the Linux kernel. Drawing from three open-source Linux Kernel Module rootkits, Krasue hide its activities and evades detection. It hooks into critical system functions, including the kill() command used to terminate processes, network-related functions and file listing operations.

It also uses real-time streaming protocol messages, disguised as "alive pings," a tactic that Group-IB says is "rarely seen in the wild."

The malware uses an open-source packing tool to wrap itself in a bid for concealment, and it also enhances its evasion capabilities by daemonizing itself - i.e., running as a background process. It ignores process interruption signals known as SIGINT that users can send by pressing ctrl + c.

Researchers also observed a connection to the XorDdos Linux Trojan documented by Microsoft in 2022.

Researchers said that the authors of XorDdos - or someone with the access to same source code used by the authors of XorDdos - likely created Krasue.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.