https://arstechnica.com/security/2023/12/stealthy-linux-rootkit-found-in-the-wild-after-going-undetected-for-2-years/ Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme light dark Sign in MORE FUN WITH ROOTKITS -- Stealthy Linux rootkit found in the wild after going undetected for 2 years Krasue infects telecom firms in Thailand using techniques for staying under the radar. Dan Goodin - Dec 8, 2023 8:54 pm UTC Trojan horse on top of blocks of hexadecimal programming codes. Illustration of the concept of online hacking, computer spyware, malware and ransomware. Enlarge reader comments 28 Stealthy and multifunctional Linux malware that has been infecting telecommunications companies went largely unnoticed for two years until being documented for the first time by researchers on Thursday. Researchers from security firm Group-IB have named the remote access trojan "Krasue," after a nocturnal spirit depicted in Southeast Asian folklore "floating in mid-air, with no torso, just her intestines hanging from below her chin." The researchers chose the name because evidence to date shows it almost exclusively targets victims in Thailand and "poses a severe risk to critical systems and sensitive data given that it is able to grant attackers remote access to the targeted network. According to the researchers: + Krasue is a Linux Remote Access Trojan that has been active since 20 and predominantly targets organizations in Thailand. + Group-IB can confirm that telecommunications companies were targeted by Krasue. + The malware contains several embedded rootkits to support different Linux kernel versions. + Krasue's rootkit is drawn from public sources (3 open-source Linux Kernel Module rootkits), as is the case with many Linux rootkits. + The rootkit can hook the `kill()` syscall, network-related functions, and file listing operations in order to hide its activities and evade detection. + Notably, Krasue uses RTSP (Real-Time Streaming Protocol) messages to serve as a disguised "alive ping," a tactic rarely seen in the wild. + This Linux malware, Group-IB researchers presume, is deployed during the later stages of an attack chain in order to maintain access to a victim host. + Krasue is likely to either be deployed as part of a botnet or sold by initial access brokers to other cybercriminals. + Group-IB researchers believe that Krasue was created by the same author as the XorDdos Linux Trojan, documented by Microsoft in a March 2022 blog post, or someone who had access to the latter's source code. During the initialization phase, the rootkit conceals its own presence. It then proceeds to hook the `kill()` syscall, network-related functions, and file listing operations, thereby obscuring its activities and evading detection. Advertisement The researchers have so far been unable to determine precisely how Krasue gets installed. Possible infection vectors include through vulnerability exploitation, credential-stealing or -guessing attacks, or by unwittingly being installed as trojan stashed in an installation file or update masquerading as legitimate software. The three open source rootkit packages incorporated into Krasue are: * Diamorphine * Suterusu * Rooty An image showing salient research points of Krasue. Enlarge / An image showing salient research points of Krasue. Group-IB Rootkits are a type of malware that hides directories, files, processes, and other evidence of its presence to the operating system it's installed on. By hooking legitimate Linux processes, the malware is able to suspend them at select points and interject functions that conceal its presence. Specifically, it hides files and directories beginning with the names "auwd" and "vmware_helper" from directory listings and hides ports 52695 and 52699, where communications to attacker-controlled servers occur. Intercepting the kill() syscall also allows the trojan to survive Linux commands attempting to abort the program and shut it down. Page: 1 2 Next - reader comments 28 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica - Previous story Next story - Related Stories Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2023 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | [privacyopt] Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices