Why does the unknown Trojan remain invisible and how is it related to the ancient XORDDoS malware?
The Group-IB discovered a new, previously unknown Remote Access Trojan (RAT) codenamed Krasue, which has been attacking telecommunications companies in Thailand since 2021. The malware is named after the nocturnal female spirit from Southeast Asian folklore and is able to hide its presence in the early stages of infection.
The exact method of initial penetration of Krasue has not yet been established, but experts suggest that attackers can exploit system vulnerabilities, brute-force attacks, or infection using fake software packages.
Krasue disguises itself as an unsigned VMware driver and uses a rootkit based on the open source projects Diamorphine, Suterusu, and Rooty. This allows the Trojan to remain undetected and maintain persistence on infected systems.
There is a possibility that Krasue is used as part of a botnet or sold by Initial Access Brokers (IAB) to other cybercriminals, such as groups engaged in ransomware attacks.
The rootkit can intercept system calls associated with the termination of processes (for example, ' kill ()’ ), network functions, and file enumeration operations to hide your activities and avoid detection. It is noteworthy that Krasue uses masked RTSP (Real Time Streaming Protocol) messages to confirm its activity, which is quite a rare tactic.
The malware can also establish a hierarchy of command and control servers (C2), get information about the infected system, and even self-destruct.
In addition, Krasue has similarities in the source code with another Linux malware called XORDDoS, which suggests that they were developed by a single author or group with access to the XORDDoS source codes.
At the moment, Group-IB has confirmed 1 case of Krasue infection and is investigating 3 more potential incidents. However, according to experts, the actual number of affected companies may be much higher. Group-IB noted that the available information is not enough to identify the creators of Krasue or identify groups that use the Trojan in attacks. However, the ability of malware to remain undetected for a long time underscores the need for constant vigilance and implementation of more robust security measures.
The Group-IB discovered a new, previously unknown Remote Access Trojan (RAT) codenamed Krasue, which has been attacking telecommunications companies in Thailand since 2021. The malware is named after the nocturnal female spirit from Southeast Asian folklore and is able to hide its presence in the early stages of infection.
The exact method of initial penetration of Krasue has not yet been established, but experts suggest that attackers can exploit system vulnerabilities, brute-force attacks, or infection using fake software packages.
Krasue disguises itself as an unsigned VMware driver and uses a rootkit based on the open source projects Diamorphine, Suterusu, and Rooty. This allows the Trojan to remain undetected and maintain persistence on infected systems.
There is a possibility that Krasue is used as part of a botnet or sold by Initial Access Brokers (IAB) to other cybercriminals, such as groups engaged in ransomware attacks.
The rootkit can intercept system calls associated with the termination of processes (for example, ' kill ()’ ), network functions, and file enumeration operations to hide your activities and avoid detection. It is noteworthy that Krasue uses masked RTSP (Real Time Streaming Protocol) messages to confirm its activity, which is quite a rare tactic.
The malware can also establish a hierarchy of command and control servers (C2), get information about the infected system, and even self-destruct.
In addition, Krasue has similarities in the source code with another Linux malware called XORDDoS, which suggests that they were developed by a single author or group with access to the XORDDoS source codes.
At the moment, Group-IB has confirmed 1 case of Krasue infection and is investigating 3 more potential incidents. However, according to experts, the actual number of affected companies may be much higher. Group-IB noted that the available information is not enough to identify the creators of Krasue or identify groups that use the Trojan in attacks. However, the ability of malware to remain undetected for a long time underscores the need for constant vigilance and implementation of more robust security measures.
