Security News > 2023 > December > Krasue RAT malware hides on Linux servers using embedded rootkits
Security researchers discovered a remote access trojan they named Krasue that is targeting Linux systems of telecommunications companies and managed to remain undetected since 2021.
According to researchers at cybersecurity company Group-IB, the main function of the malware is to maintain access to the host, which may suggest that it is deployed through a botnet or sold by initial access brokers to threat actors seeking access to a particular target.
Analysis from Group-IB revealed that the rootkit inside Krasue RAT's binary is a Linux Kernel Module that masquerades as an unsigned VMware driver after being executed.
The rootkit supports Linux Kernel versions are 2.6x/3.10.x, which allows it to stay under the radar because older Linux servers typically have poor Endpoint Detection and Response coverage, the researchers say.
Using the RTPS application-level network protocol for C2 malware communication is not too common and could be seen as a particularity in the case of Krasue.
Although the origin of Krasue malware is unknown, the researchers found in the rootkit portion some overlaps with the rootkit of another Linux malware called XorDdos.
News URL
Related news
- DinodasRAT malware targets Linux servers in espionage campaign (source)
- Stealthy GTPDOOR Linux malware targets mobile operator networks (source)
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers leverage 1-day vulnerabilities to deliver custom Linux malware (source)
- Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware (source)
- Suspected Russian Data-Wiping 'AcidPour' Malware Targeting Linux x86 Devices (source)
- Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers (source)
- Researchers sinkhole PlugX malware server with 2.5 million unique IPs (source)