'Stealthy and multifunctional Linux malware that has been infecting telecommunications companies went largely unnoticed for two years until being documented for the first time by researchers on Thursday. Researchers from security firm Group-IB have named the remote access trojan “Krasue,” after a nocturnal spirit depicted in Southeast Asian folklore “floating in mid-air, with no torso, just her intestines hanging from below her chin.” The researchers chose the name because evidence to date shows it almost exclusively targets victims in Thailand and “poses a severe risk to critical systems and sensitive data given that it is able to grant attackers remote access to the targeted network. According to the researchers: - Krasue is a Linux Remote Access Trojan that has been active since 20 and predominantly targets organizations in Thailand. - Group-IB can confirm that telecommunications companies were targeted by Krasue. - The malware contains several embedded rootkits to support different Linux kernel versions. - Krasue’s rootkit is drawn from public sources (3 open-source Linux Kernel Module rootkits), as is the case with many Linux rootkits. - The rootkit can hook the `kill()` syscall, network-related functions, and file listing operations in order to hide its activities and evade detection. - Notably, Krasue uses RTSP (Real-Time Streaming Protocol) messages to serve as a disguised “alive ping,” a tactic rarely seen in the wild. - This Linux malware, Group-IB researchers presume, is deployed during the later stages of an attack chain in order to maintain access to a victim host. - Krasue is likely to either be deployed as part of a botnet or sold by initial access brokers to other cybercriminals. - Group-IB researchers believe that Krasue was created by the same author as the XorDdos Linux Trojan, documented by Microsoft in a March 2022 blog post, or someone who had access to the latter’s source code.' -- source: https://arstechnica.com/security/2023/12/stealthy-linux-rootkit-found-in-the... Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, Hamilton, NZ Mobile +64 22 190 2375 https://www.cs.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/