New Krasue Linux RAT Targets Telecom Companies in Thailand

Cyber Security Threat Summary:
Group-IB researchers discovered a previously undetected Linux remote access trojan called Krasue being employed in attacks aimed at telecom companies in Thailand. The Krasue Remote Access Trojan (RAT) emerged in 2021 according to samples found on VirusTotal. The name “Krasue,” comes from the Thai name of a nocturnal native spirit known throughout Southeast Asian folklore.

The experts have yet to determine the initial infection vector and the scale of the campaign. But it is likely the group is exploiting public-facing applications and systems, conduction credential brute forcing, or tricking victims into downloading packages or binaries masquerading as product updates.

Security Officer Comments:
The malware comes equipped with seven embedded rootkits that can target different Linux kernel versions. The Krasue’s rootkit is based on three open-source LKM rootkits, Diamorphine, Suterusu, and Rooty.

For persistence, the malware is deployed during the later stages of the attack chain, the experts believe the RAT is likely deployed as part of a botnet, or is being sold by initial access brokers.

“The rootkit can hook the kill() syscall, network-related functions, and file listing operations in order to hide its activities and evade detection.” reads the report published by Group-IB. “During the initialization phase, the rootkit conceals its own presence. It then proceeds to hook the kill() syscall, network-related functions and file listing operations, thereby obscuring its activities and evading detection.” Krasue relies o RTSP (Real Time Streaming Protocol) messages to serve as a disguised ‘alive ping.’ This tactic is uncommon in the threat landscape.

Group-IB notes several similarities between the Krasue rootkit and another piece of Linux malware called XorDDos. The researchers speculate Krasue was likely developed by the same author of XorDdos. “While the primary components of the Krasue Remote Access Trojan differ from XorDdos, there are substantial and unique overlaps in the rootkit segment.” concludes the report.