A new type of Linux malware has been identified after going unnoticed for two years thanks to work by cybersecurity researchers from Group-IB.

The newly uncovered Linux Remote Access Trojan (RAT), Krasue, was first registered on Virustotal, and has since been targeting primarily telecommunications companies in Thailand.

Group-IB says that Krasue “poses a severe risk to critical systems and sensitive data” because attackers can access a targeted network remotely.

Krasue Linux RAT

The cybersecurity analysts say that the malware contains several embedded rootkits, drawn from public sources, meaning that the RAT can support different Linux kernel versions.

However, Group-IB is yet to determine Krasue’s initial infection vector. So far, vulnerability exploitation, credential brute force attacks, and unwitting downloads as part of deceptive packages are all being considered.

Instead, the cybersecurity company says it’s disclosing the limited information it has at this point in order to prime Thai telecommunications companies so that they can be better prepared to secure themselves against such attacks. Group-IB has also notified the Thailand Computer Emergency Response Team (ThaiCERT) and the Thailand Telecommunications Sector Computer Emergency Response Team (TTC-CERT).

After analysis, it looks like the Krasue RAT might have been created by the same author as XorDdos – another Linux Trojan malware with rootkit capabilities for launching large-scale DDoS attacks.

But specific threat group attribution is hard because the RAT uses code snippets from three different open-source projects – Diamorphine, Suterusu, and Rooty – which have been available for over five years.

For now, Group-IB promises to continue monitoring the malware’s spread, including to other areas outside of Thailand.

More from TechRadar Pro

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums