New Stealthy ‘Krasue’ Linux Trojan Targeting Telecom Firms in Thailand

5 months ago AndyC

Dec 07, 2023The Hacker NewsMalware / Security Breach

A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2

New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

Dec 07, 2023The Hacker NewsMalware / Security Breach

New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021.

Named after a nocturnal female spirit of Southeast Asian folklore, the malware is “able to conceal its own presence during the initialization phase,” Group-IB said in a report shared with The Hacker News.

The exact initial access vector used to deploy Krasue is currently not known, although it’s suspected that it could be via vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary. The scale of the campaign is

The malware’s core functionalities are realized through a rootkit that allows it to maintain persistence on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

This has raised the possibility that Krasue is either deployed as part of a botnet or sold by initial access brokers to other cybercriminals, such as ransomware affiliates, who are looking to obtain access to a specific target.

“The rootkit can hook the `kill()` syscall, network-related functions, and file listing operations in order to hide its activities and evade detection,” Group-IB malware analyst Sharmine Low said.

“Notably, Krasue uses RTSP (Real Time Streaming Protocol) messages to serve as a disguised ‘alive ping,’ a tactic rarely seen in the wild.”

The trojan’s command-and-control (C2) communications further allow it to designate a communicating IP as its master upstream C2 server, get information about the malware, and even terminate itself.

Cybersecurity

Krasue also shares several source code similarities with another Linux malware named XorDdos, indicating that it has been developed by the same author as the latter, or by actors who had access to its source code.

“The information available is not enough to put forward a conclusive attribution as to the creator of Krasue, or the groups that are leveraging it in the wild, but the fact that these malicious programs are able to remain under the radar for extended periods makes it clear that continuous vigilance and better security measures are necessary,” Low said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

MITRE Unveils EMB3D: A Threat-Modeling Framework for Embedded Devices

MITRE Unveils EMB3D: A Threat-Modeling Framework for Embedded Devices

6 hours ago AndyC
The 2024 Browser Security Report Uncovers How Every Web Session Could be a Security Minefield

The 2024 Browser Security Report Uncovers How Every Web Session Could be a Security Minefield

12 hours ago AndyC
SHQ Response Platform and Risk Centre to Enable Management and Analysts Alike

SHQ Response Platform and Risk Centre to Enable Management and Analysts Alike

12 hours ago AndyC
Severe Vulnerabilities in Cinterion Cellular Modems Pose Risks to Various Industries

Severe Vulnerabilities in Cinterion Cellular Modems Pose Risks to Various Industries

12 hours ago AndyC
Black Basta Ransomware Strikes 500+ Entities Across North America, Europe, and Australia

Black Basta Ransomware Strikes 500+ Entities Across North America, Europe, and Australia

12 hours ago AndyC
Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo

Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo

18 hours ago AndyC

You may have missed

AI expert Dr. Craig Martell named CTO at Cohesity

AI expert Dr. Craig Martell named CTO at Cohesity

12 mins ago AndyC
Threat actors may have exploited a zero-day in older iPhones, Apple warns

Threat actors may have exploited a zero-day in older iPhones, Apple warns

17 mins ago AndyC
The Most Powerful Women Of The Channel 2024: Power 100

The Most Powerful Women Of The Channel 2024: Power 100

22 mins ago AndyC
10 Hot AI Cybersecurity Tools At RSAC 2024

10 Hot AI Cybersecurity Tools At RSAC 2024

22 mins ago AndyC
Sumit Dhawan, CEO, Proofpoint on NightDragon: Live From RSA Conference

Sumit Dhawan, CEO, Proofpoint on NightDragon: Live From RSA Conference

22 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.