HQ/EMEAFind out how we can help your business
The newly discovered Krasue malware, a previously undiscovered Linux remote access trojan, has silently infiltrated various networks since at least 2021.
The hackers derived the name Krasue to a nocturnal female spirit from Southeast Asian folklore, similar to its capabilities as the malware possesses an elusive nature that can conceal its presence during the initialisation phase of its attacks.
Currently, the covert entry point of Krasue remains a mystery. Still, researchers suspect that the primary tactics of these hackers include vulnerability exploitation, credential brute-force attacks, or deceptive deployment via fake software packages or binaries.
However, investigations confirmed one of the trojan’s abilities, using a rootkit that could disguise as an unsigned VMware driver. This feature allows the malware to establish persistence on the host without triggering any alarms.
Krasue is either malware sold to other hackers or operates within a botnet.
Various researchers speculate whether the Krasue malware operators are within a botnet or sold by brokers to other cybercriminals, including potential ransomware affiliates.
However, a researcher explains that this malware is a rootkit that can hook the ‘kill()’ syscall, network-related functions, and file listing operations to hide its activities and evade detection. In addition, this trojan also employs Real Time Streaming Protocol (RTSP) messages disguised as ‘alive pings’ to conceal its presence, which is an uncommon tactic in the threat community.
Furthermore, Krasue’s sophistication extends to its C2 communications, allowing it to designate an IP as its master upstream command-and-control server, harvest malware information, and terminate itself if necessary.
The malware also shares source code similarities with another Linux malware named XorDdos, implying a shared origin or access to a common codebase.
A separate investigation confirmed one case of the Krasue campaign and is assessing three other potential incidents. However, the actual number of targeted companies may be higher.
Therefore, Thai companies, especially those in the telecommunication industry, should have continuous vigilance and better security measures to avoid such campaigns since the abilities of these malicious programs will remain a mystery for the coming days.
