Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:D2C3A2F2D9C4157B6169DDE073C95BC6
HistoryDec 07, 2023 - 6:15 a.m.

New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

2023-12-0706:15:00
The Hacker News
thehackernews.com
34
krasue trojan
telecom firms
thailand
nocturnal spirit
rootkit
botnet
cybercriminals
rtsp messages
xorddos
group-ib
investigating incidents

7.1 High

AI Score

Confidence

Low

JSON

Linux Trojan

A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021.

Named after a nocturnal female spirit of Southeast Asian folklore, the malware is “able to conceal its own presence during the initialization phase,” Group-IB said in a report shared with The Hacker News.

The exact initial access vector used to deploy Krasue is currently not known, although it’s suspected that it could be via vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary.

UPCOMING WEBINAR [

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

](<https://thehacker.news/social-engineering-psychology?source=inside&gt;)

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

The malware’s core functionalities are realized through a rootkit that masquerades as an unsigned VMware driver and allows it to maintain persistence on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty.

This has raised the possibility that Krasue is either deployed as part of a botnet or sold by initial access brokers to other cybercriminals, such as ransomware affiliates, who are looking to obtain access to a specific target.

“The rootkit can hook the kill() syscall, network-related functions, and file listing operations in order to hide its activities and evade detection,” Group-IB malware analyst Sharmine Low said.

Linux Trojan

“Notably, Krasue uses RTSP (Real Time Streaming Protocol) messages to serve as a disguised ‘alive ping,’ a tactic rarely seen in the wild.”

The trojan’s command-and-control (C2) communications further allow it to designate a communicating IP as its master upstream C2 server, get information about the malware, and even terminate itself.

Cybersecurity

Krasue also shares several source code similarities with another Linux malware named XorDdos, indicating that it has been developed by the same author as the latter, or by actors who had access to its source code.

Group-IB told The Hacker News that it has so far identified one confirmed case, and that it’s investigating three other potential incidents in which the malware has been used. But it’s suspected that the number of companies targeted could be higher.

“The information available is not enough to put forward a conclusive attribution as to the creator of Krasue, or the groups that are leveraging it in the wild, but the fact that these malicious programs are able to remain under the radar for extended periods makes it clear that continuous vigilance and better security measures are necessary,” Low said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

7.1 High

AI Score

Confidence

Low

JSON