Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms

Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms

December 7, 2023 at 12:52PM

Krasue, an undetected Linux RAT used for nearly two years to infiltrate Thai organizations, employs stealth through a rootkit supporting various Linux kernels, obscuring its presence and communications. Created by the XorDdos authors, it aims to maintain system access and likely spreads through vulnerability exploitation or credential brute-forcing. Group-IB suggests security measures including monitoring RTSP traffic, using trusted software sources, and enabling kernel module signature verification.

Key Takeaways from Group-IB’s Report on Krasue RAT:

1. **RAT Identification and Duration**:
– A Linux RAT called Krasue has been in use for nearly two years, undetected.
– It’s likely associated with the creators of the XorDdos Linux RAT.

2. **Function and Stealth**:
– Krasue’s primary role is to maintain access to compromised systems.
– It uses a rootkit with seven versions to support various Linux kernels.
– The infection methods remain unclear but could involve exploitation of vulnerabilities or credential brute-forcing.
– Krasue incorporates stealth features to avoid detection.

3. **Technical Mechanisms**:
– Disguises itself as a VMware driver, lacking a valid digital signature.
– Obscures its presence and operations in the infected systems.
– Employs live streaming protocol messages as a covert signal.
– Enhances evasion by daemonizing and ignoring interruption signals.

4. **Target and Distribution**:
– Primarily targeted the telecom sector in Thailand but other sectors could be affected.
– Distribution avenues may include third-party downloads like fake product updates.

5. **Evasion Techniques**:
– Uses UPX packing to avoid detection.
– Poor EDR coverage on older Linux servers aids in its evasion.
– Utilizes uncommon communication methods, including RTSP, with hardcoded IP addresses.

6. **Security Recommendations**:
– Alert for anomalous RTSP network traffic indicative of Krasue.
– Only download software from trusted, official sources.
– Enable kernel module signature verification to load only signed modules.
– Regularly monitor system and network logs.
– Conduct periodic security audits to detect potential threats.

In summary, Krasue is a sophisticated Linux RAT associated with XorDdos, capable of maintaining persistent access while remaining undetected for an extended period. It leverages various technical and stealth tactics to elude security measures and primarily targets the telecom sector. Group-IB suggests vigilant security hygiene with specific attention to RTSP traffic, software sources, system logs, and regular security check-ups to mitigate the threat.

Full Article