December 7, 2023 at 09:31AM
Security experts found a previously undetected malware named Krasue, targeting Linux systems in Thai telecoms since 2021. Krasue includes seven rootkit variants, based on open-source code, to remain undetected and ensure persistent access, possibly through botnets. Its origin is unknown, but it shares similarities with XorDdos malware. Group-IB provided detection tools.
Meeting Takeaways:
1. **Discovery of Krasue Malware:**
– A new remote access trojan named Krasue has been identified, specifically targeting Linux systems within telecommunications companies. It has been active and undetected since 2021.
2. **Malware Characteristics:**
– Krasue contains seven different rootkit variants, compatible with multiple Linux kernel versions (2.6x/3.10.x).
– It is derived from code of three open-source projects: Diamorphine, Suterusu, and Rooty.
– Its primary goal is to maintain access to infected hosts, possibly indicating deployment via a botnet or sale by initial access brokers.
3. **Functionality:**
– The malware maintains persistence on a host to ensure consistent access.
– Krasue can hide/unhide ports, make processes invisible, grant root privilege, and execute kill commands. It also hides its own files and directories.
4. **Command and Control (C2) Communication:**
– Communication with C2 servers includes commands like ping (for status), master (setting C2), info (gathering malware status), restart/respawn (process management), and god die (self-termination).
– Nine C2 IP addresses are hardcoded, with one using an RTSP connection port (554).
5. **Unique Aspects:**
– The use of RTSP, typically for streaming media servers, is unusual for C2 malware communication.
– Rootkit disguises itself as an unsigned VMware driver, allowing it to operate on the kernel level and evade detection.
6. **Geographical Focus:**
– So far, Krasue targets telecommunications companies in Thailand specifically.
7. **Threat Actor Profile:**
– The identity of the threat actor(s) behind Krasue remains unknown.
– Overlaps with the rootkit of another malware, XorDdos, may suggest common authorship or access to shared code.
8. **Countermeasures:**
– Group-IB has released indicators of compromise and YARA rules to detect Krasue.
– The cybersecurity community is encouraged to share further information to enhance understanding and defense against this threat.
Overall, defenses should be updated with the provided indicators of compromise to detect and mitigate the Krasue threat, and further research into its origin, distribution methods, and potential relations to other malware is needed.