Group-IB researchers released an analysis of a stealthy Linux remote access trojan (RAT) dubbed "Krasue." The malware went undetected for nearly two years and has been consistently used in targeting tecommunication organizations in Thailand.
Krasue is operates as a Linux Kernel Module (LKM), or an object file that can be dynamically loaded into the kernel at runtime, enabling the attacker to maintain access to the host in a stealthy manner. Security ramifications are significant as Krasue may turn the compromised machine in a "zombie" for a botnet, or serve as an access broker for further infection.
The main discoveries Group-IB shared include:
The method of gaining initial access is unclear but may involve vulnerability exploitation, credential brute-force attacks, or deceptive downloads.
Krasue's stealthiness is attributed to its rootkit functionality, UPX packing, and evasion of interruption signals.
The RAT communicates with a command-and-control network using nine hardcoded IP addresses.
A unique aspect of Krasue is its use of real-time streaming protocol (RTSP) messages as a disguised "alive ping," a tactic rarely seen. However, this appears to be a fallback technique as it was reportedly observed connection to 128[.]199[.]226[.]11 over port 554 (RTSP) would occur only after C2 callback to the hardcoded IP addresses failed.
Besides generic yet important recommendations such as downloading software from trusted sources, enabling kernel module signature verification, and regularly reviewing system and network logs for suspicious activities, specific security recommendations for this threat include monitoring for anomalous RTSP traffic.