Source: The Lightwriter via Alamy Stock Photo
Attackers likely tied the creators of the XorDdos Linux remote access Trojan (RAT) have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected systems.
The RAT, dubbed Krasue — named for a nocturnal native spirit in Southeast Asian folklore — uses a combination of stealthy techniques to fly under the radar, including the use of a rootkit that embeds seven compiled versions within it to support various versions of the Linux kernel, researchers from Group-IB reported in a blog post published Dec. 7.
The primary functionality of the RAT — which appeared on VirusTotal in 2021 but has never been publicly reported — is to maintain access to the host. This means it's likely that the RAT is "either deployed as part of a botnet or sold by initial access brokers to other cybercriminals who are looking to acquire access to a particular target," Sharmine Low, malware analyst, threat intelligence team for Group-IB, wrote in the post.
Krasue was likely created by the same author as the XorDdos Linux Trojan, or at least had access to the same source code, the researchers said. Microsoft discovered XorDdos, which has been used widely in attacks against cloud and IoT deployments, in 2014.
One aspect of the RAT that the researchers said is unique is the use of real-time streaming protocol (RTSP) messages to serve as a disguised "alive ping," a tactic that is rarely seen in the wild, they said. RTSP is typically used to control the delivery of real-time media streams over IP networks, such as in video streaming and video-surveillance systems.
The method of gaining initial access to systems infected by Krasue is unclear, though likely pathways include vulnerability exploitation or credential brute-force attacks. Another, albeit less likely, option for initial access could be that the RAT is downloaded as part of a deceptive package or binary — such as a fake product update — from a malicious third-party source, the researchers added.
While Group-IB observed the RAT being used mainly to target the telecom sector, the researchers believe that organizations in other verticals also were likely targets. It's also likely that Krasue was deployed later in the attack chain once a cybercriminal already has intruded on a targeted network.
Keeping a Low Profile via Linux Rootkit
Given its combination of stealthy characteristics, it's no surprise that Krasue RAT has lurked undetected for two years, the researchers said. Some of these techniques lie in the use and functionality of the Krasue rootkit, which is a Linux Kernel Module (LKM), or an object file that can be dynamically loaded into the kernel at runtime.
On an infected system, the rootkit masquerades as a VMware driver without a valid digital signature. Because of its nature as an LKM, the rootkit, which targets Linux kernel versions 2.6x/3.10.x, extends the functionality of the kernel without having to recompile or modify the entire kernel source code. Moreover, during the initialization phase, the rootkit conceals its own presence, then proceeds to hook the "kill()" syscall, network-related functions, and file-listing operations, thereby obscuring its activities.
Another reason Krasue has managed to evade detection is that it uses UPX packing. Packed malware samples typically are more difficult to detect by security solutions, and older Linux servers often have poor endpoint detection and response (EDR) coverage anyway, the researchers said.
The RAT also enhances its evasion capabilities by daemonizing itself, running as a background process, and disregarding SIGINT signals, the last of which means that the malware remains unaffected by interruption signals sent when the user terminates the process by pressing Ctrl-C.
Krasue also has features to obscure its communications with the command-and-control (C2) network, including using nine hardcoded IP addresses for its master C2 and its aforementioned use of RTSP for communication — which is rare for cybercriminals — among them, Low said.
"Krasue will always attempt to connect to the internal addresses initially," she explained in the post. "Only after multiple non-replies and trying to connect to server after server, it will attempt to connect 128[.]199[.]226[.]11 at port 554, which is a port commonly used for RTSP. This is notable because while malware developers typically make a concerted effort to disguise network traffic, using RTSP for this purpose is highly uncommon."
Security Recommendations for Linux RATs
Group-IB made a number of recommendations for security professionals to alert them of potential infection by Krasue RAT. One is to be on the lookout for anomalous RTSP traffic, which could alert to the existence of the malware on a system.
The researchers also recommended that organizations download software and packages only from trusted and official sources, using reputable repositories provided by their Linux distribution or verified third-party sources with a strong reputation for security.
Administrators also should enable kernel module signature verification by configuring the Linux kernel to only load signed modules. "This ensures that only modules with a valid digital signature from a trusted source can be loaded," Low wrote.
Other security steps administrators can take to avoid compromise is to monitor system and network logs — regularly reviewing them for any suspicious activities — as well as to conduct periodic security audits.