Security News > 2023 > December > Krasue RAT malware hides on Linux servers using embedded rootkits

Security researchers discovered a remote access trojan they named Krasue that is targeting Linux systems of telecommunications companies and managed to remain undetected since 2021.

According to researchers at cybersecurity company Group-IB, the main function of the malware is to maintain access to the host, which may suggest that it is deployed through a botnet or sold by initial access brokers to threat actors seeking access to a particular target.

Analysis from Group-IB revealed that the rootkit inside Krasue RAT's binary is a Linux Kernel Module that masquerades as an unsigned VMware driver after being executed.

The rootkit supports Linux Kernel versions are 2.6x/3.10.x, which allows it to stay under the radar because older Linux servers typically have poor Endpoint Detection and Response coverage, the researchers say.

Using the RTPS application-level network protocol for C2 malware communication is not too common and could be seen as a particularity in the case of Krasue.

Although the origin of Krasue malware is unknown, the researchers found in the rootkit portion some overlaps with the rootkit of another Linux malware called XorDdos.

News URL

https://www.bleepingcomputer.com/news/security/krasue-rat-malware-hides-on-linux-servers-using-embedded-rootkits/