Security News > 2023 > December > Krasue RAT malware hides on Linux servers using embedded rootkits
Security researchers discovered a remote access trojan they named Krasue that is targeting Linux systems of telecommunications companies and managed to remain undetected since 2021.
According to researchers at cybersecurity company Group-IB, the main function of the malware is to maintain access to the host, which may suggest that it is deployed through a botnet or sold by initial access brokers to threat actors seeking access to a particular target.
Analysis from Group-IB revealed that the rootkit inside Krasue RAT's binary is a Linux Kernel Module that masquerades as an unsigned VMware driver after being executed.
The rootkit supports Linux Kernel versions are 2.6x/3.10.x, which allows it to stay under the radar because older Linux servers typically have poor Endpoint Detection and Response coverage, the researchers say.
Using the RTPS application-level network protocol for C2 malware communication is not too common and could be seen as a particularity in the case of Krasue.
Although the origin of Krasue malware is unknown, the researchers found in the rootkit portion some overlaps with the rootkit of another Linux malware called XorDdos.
News URL
Related news
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- New FASTCash malware Linux variant helps steal money from ATMs (source)
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists (source)
- New Malware Campaign Uses PureCrypter Loader to Deliver DarkVision RAT (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware (source)