Stealthy Linux rootkit discovered within the wild after going undetected for two years

Photo of author

By Calvin S. Nelson

Stealthy and multifunctional Linux malware that has been infecting telecommunications corporations went largely unnoticed for 2 years till being documented for the primary time by researchers on Thursday.

Researchers from safety agency Group-IB have named the distant entry trojan “Krasue,” after a nocturnal spirit depicted in Southeast Asian folklore “floating in mid-air, with no torso, simply her intestines hanging from under her chin.” The researchers selected the title as a result of proof thus far exhibits it virtually solely targets victims in Thailand and “poses a extreme danger to vital programs and delicate knowledge on condition that it is ready to grant attackers distant entry to the focused community.

In line with the researchers:

  • Krasue is a Linux Distant Entry Trojan that has been lively since 20 and predominantly targets organizations in Thailand.
  • Group-IB can affirm that telecommunications corporations had been focused by Krasue.
  • The malware incorporates a number of embedded rootkits to assist completely different Linux kernel variations.
  • Krasue’s rootkit is drawn from public sources (3 open-source Linux Kernel Module rootkits), as is the case with many Linux rootkits.
  • The rootkit can hook the `kill()` syscall, network-related capabilities, and file itemizing operations to be able to disguise its actions and evade detection.
  • Notably, Krasue makes use of RTSP (Actual-Time Streaming Protocol) messages to function a disguised “alive ping,” a tactic hardly ever seen within the wild.
  • This Linux malware, Group-IB researchers presume, is deployed in the course of the later phases of an assault chain to be able to preserve entry to a sufferer host.
  • Krasue is prone to both be deployed as a part of a botnet or bought by preliminary entry brokers to different cybercriminals.
  • Group-IB researchers consider that Krasue was created by the identical creator because the XorDdos Linux Trojan, documented by Microsoft in a March 2022 weblog submit, or somebody who had entry to the latter’s supply code.

Through the initialization section, the rootkit conceals its personal presence. It then proceeds to hook the `kill()` syscall, network-related capabilities, and file itemizing operations, thereby obscuring its actions and evading detection.

The researchers have thus far been unable to find out exactly how Krasue will get put in. Doable an infection vectors embody via vulnerability exploitation, credential-stealing or -guessing assaults, or by unwittingly being put in as trojan stashed in an set up file or replace masquerading as respectable software program.

The three open supply rootkit packages included into Krasue are:

An image showing salient research points of Krasue.
Enlarge / A picture exhibiting salient analysis factors of Krasue.


Rootkits are a sort of malware that hides directories, information, processes, and different proof of its presence to the working system it’s put in on. By hooking respectable Linux processes, the malware is ready to droop them at choose factors and interject capabilities that conceal its presence. Particularly, it hides information and directories starting with the names “auwd” and “vmware_helper” from listing listings and hides ports 52695 and 52699, the place communications to attacker-controlled servers happen. Intercepting the kill() syscall additionally permits the trojan to outlive Linux instructions trying to abort this system and shut it down.

Leave a Comment