The cybersecurity landscape has been alerted to a new threat in the form of a Linux remote access trojan named ‘Krasue’, which has been covertly targeting telecom companies in Thailand since at least 202. The malware, named after a mythical Southeast Asian spirit, is adept at hiding its presence during the initial phase of infection, according to a report by Group-IB.
Krasue’s deployment methods remain uncertain, but it is suspected that the trojan could be introduced through various means such as exploiting vulnerabilities, brute-forcing credentials, or being bundled with counterfeit software packages.
At the heart of Krasue’s functionality is a rootkit disguised as an unsigned VMware driver, derived from open-source projects like Diamorphine, Suterusu, and Rooty. This rootkit enables the trojan to persist on infected hosts undetected. The sophistication of the rootkit suggests that Krasue could be part of a botnet or distributed by initial access brokers to other cybercriminals, including ransomware groups seeking specific targets2.
Group-IB’s analysis reveals that Krasue can intercept system calls and network functions to conceal its activities and avoid detection. It employs the Real Time Streaming Protocol (RTSP) for covert communication, a method not commonly observed in malware attacks3.
The trojan’s command-and-control capabilities allow it to manage its operations remotely, including self-termination. Furthermore, similarities in the source code between Krasue and another Linux malware, XorDdos, hint at a possible connection in their development or shared access to the source code.
While Group-IB has confirmed one case of Krasue’s activity, ongoing investigations suggest there may be more undisclosed incidents. The elusive nature of such malicious programs underscores the need for continuous monitoring and enhanced security protocols within the industry.
