The main task of the Linux Trojan, dubbed Krasue by Group-IB, is to maintain remote access to the infected host. Constant presence and stealth are provided by rootkits sharpened for different versions of the OS kernel.
How the malware gets into the system is not known for certain; it can be an exploit, a brute-force attack, or a download disguised as legitimate software. Experts do not rule out that the RAT Trojan is deployed as part of a botnet or sold as a service for initial access to other networks.
The analysis showed that the Krasue binary contains seven variants of the kernel mode rootkit compatible with Linux branches 2.6. x and 3.10. x. This choice is probably due to the fact that modern EDR protection rarely extends to such venerable Linux servers.
The rootkit itself turned out to be a derivative of three opensource projects: Diamorphine, Suterusu, and Rooty. The source code is also similar to the rootkit of another Linux malware, XorDdos.
To disguise it, the malicious Linux kernel module pretends to be an unsigned VMware driver (the description includes the name VMware User Mode Helper). The malware can intercept kill () system calls, put hooks on network-related functions, and hide its files and folders, processes, and ports.
There are nine C2 IP addresses embedded in the Krasue code; one of them uses port 554, where the RTSP service usually runs. As it turned out, the malware needs RTSP messages to mask activity check packets, and this is its business card.
C2 communications are encrypted using AES-CBC with a static key (22 32 A4 98 A1 4F 2E 44 CF 55 93 B7 91 59 BE A6). When prompted, the malware can assign the current C2 address to the primary one, transmit information about its status, completed actions, and problems, and terminate its process (the "god die" command).
The first Krasue samples were uploaded for testing on VirusTotal in 2021. Attacks using it mainly target Thailand's telecom sector.
How the malware gets into the system is not known for certain; it can be an exploit, a brute-force attack, or a download disguised as legitimate software. Experts do not rule out that the RAT Trojan is deployed as part of a botnet or sold as a service for initial access to other networks.
The analysis showed that the Krasue binary contains seven variants of the kernel mode rootkit compatible with Linux branches 2.6. x and 3.10. x. This choice is probably due to the fact that modern EDR protection rarely extends to such venerable Linux servers.
The rootkit itself turned out to be a derivative of three opensource projects: Diamorphine, Suterusu, and Rooty. The source code is also similar to the rootkit of another Linux malware, XorDdos.
To disguise it, the malicious Linux kernel module pretends to be an unsigned VMware driver (the description includes the name VMware User Mode Helper). The malware can intercept kill () system calls, put hooks on network-related functions, and hide its files and folders, processes, and ports.
There are nine C2 IP addresses embedded in the Krasue code; one of them uses port 554, where the RTSP service usually runs. As it turned out, the malware needs RTSP messages to mask activity check packets, and this is its business card.
C2 communications are encrypted using AES-CBC with a static key (22 32 A4 98 A1 4F 2E 44 CF 55 93 B7 91 59 BE A6). When prompted, the malware can assign the current C2 address to the primary one, transmit information about its status, completed actions, and problems, and terminate its process (the "god die" command).
The first Krasue samples were uploaded for testing on VirusTotal in 2021. Attacks using it mainly target Thailand's telecom sector.
