Researchers from the cybersecurity company Group-IB have discovered a remote access trojanrenamed Krasue RAT. This malware targets i system Linux from the telecommunications company. The malware has been present since 2021, but always managed to go unnoticed. The researchers found that Krasue’s binary code includes seven variations of a rootkit. This supports multiple versions of the Linux kernel and is based on the code of three projects open source. According to Group-IB, the main function of the malware is to maintain access to the host, which could suggest that it is distributed via a botnet or sold by initial access brokers to threat actors seeking access to a particular target. Researchers believe that the remote access trojan Krasue RAT can be used in a later phase of the attack precisely to maintain access to the victim’s host.
Karuse RAT: A rootkit that is difficult to detect, especially in older versions of Linux
Group-IB analysis revealed that the rootkit within the Krasue RAT binary is a Linux Kernel Module (LKM). This masquerades as Unsigned VMware driver after being executed. Kernel-level rootkits are difficult to detect and remove, as they operate at the same security level as the operating system. The rootkit supports versions of the kernel Linux 2.6x/3.10.x. This, according to the researchers, would allow it to go unnoticed. Older Linux servers do in fact have a poor detection coverage and endpoint response. Group-IB found that all seven versions of the embedded rootkit have the same hooking functionality of system calls and function calls and use the same fake name”VMware User Mode Helper“.
Researchers have noted that rootit is based on three open source LKM rootkits, in particular Diamorphine, Suterusu e Rootyall available since 2017. The Krasue RAT rootkit can hide or show doors, make processes invisible, provide root privileges and run the kill command for any process ID. He can also cover his tracks hiding files and directories related to malware. Researchers have not yet discovered how the malware is distributed. However, hackers could exploit a vulnerabilityperform a brute force attack on user credentials, or even the malware may be downloaded from an unsafe source, such as a package or binary file that pretends to be a legitimate product. To date, Krasue’s focus appears to be limited to companies telecommunications in Thailandbut it is still useful to always be careful in case of future attacks in other countries.