New Stealthy ‘Krasue’ Linux Trojan Targeting Telecom Firms in Thailand

New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

December 7, 2023 at 01:54AM

A new Linux trojan named Krasue, discovered targeting Thai telecoms since 2021, offers attackers persistent network access. Utilizing rootkits and evading detection with innovative tactics, its origins and deployment methods remain unclear. Similarities with XorDdos malware suggest a possible common creator. Security analysts stress the need for ongoing vigilance.

Key Takeaways from Meeting:

1. **Malware Discovery**: A new Linux remote access trojan (RAT) named Krasue has been detected, targeting telecommunications companies in Thailand since at least 2021.

2. **Malware Name Origin**: Krasue is named after a nocturnal female spirit from Southeast Asian folklore, reflecting its capability to remain hidden.

3. **Concealment Tactics**: The malware can conceal its presence during the initialization phase and includes a rootkit derived from open-source projects such as Diamorphine, Suterusu, and Rooty to maintain persistence and evade detection.

4. **Unknown Infection Methods**: The initial access vector for Krasue deployment is not yet known but may include vulnerability exploitation, credential brute-force attacks, or via downloading malicious software packages or binaries. The scale of the campaign is not specified in the notes provided.

5. **Rootkit Functionality**: Krasue’s rootkit can hook the `kill()` system call, network-related functions, and file listing operations to hide its activities.

6. **Unique Communication Tactics**: The malware uses RTSP messages as a ‘alive ping’ to avoid detection, which is a method rarely observed.

7. **Command-and-Control Server**: Krasue’s C2 communications can designate a communicating IP as the master upstream C2 server, extract malware information, and allow self-termination of the malware.

8. **Relation to XorDdos**: There are several source code similarities between Krasue and another Linux malware called XorDdos, suggesting a possible common authorship or access to XorDdos’s source code.

9. **Attribution and Impact**: While conclusive attribution for Krasue’s creation or its specific users is not available, its undetected presence indicates the need for continuous vigilance and improved security measures in cyberspace.

10. **Article Sharing**: It is suggested to follow the indicated social media handles on Twitter and LinkedIn for more exclusive content related to the article.

Please note that the action items or specific directives to address the situation were not specified in the meeting notes provided.

Full Article