Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms

A stealthy malware is infecting the systems of telecoms and other verticals in Thailand, remaining under the radar for two years after its code first appeared on VirusTotal.

Attackers likely tied the creators of the XorDdos Linux remote access Trojan (RAT) have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected systems.
The RAT, dubbed Krasue — named for a nocturnal native spirit in Southeast Asian folklore — uses a combination of stealthy techniques to fly under the radar, including
the use of a rootkit
that embeds seven compiled versions within it to support various versions of the Linux kernel, researchers from Group-IB reported in
a blog post
published Dec. 7.
The primary functionality of
the RAT
— which appeared on VirusTotal in 2021 but has never been publicly reported — is to maintain access to the host. This means its likely that the RAT is either deployed as part of a botnet or sold by initial access brokers to other cybercriminals who are looking to acquire access to a particular target, Sharmine Low, malware analyst, threat intelligence team for Group-IB, wrote in the post.
Krasue was likely created by the same author as the
XorDdos Linux Trojan
, or at least had access to the same source code, the researchers said. Microsoft discovered XorDdos, which has been used widely in attacks against cloud and IoT deployments, in 2014.
One aspect of the RAT that the researchers said is unique is the use of real-time streaming protocol (RTSP) messages to serve as a disguised alive ping, a tactic that is rarely seen in the wild, they said. RTSP is typically used to control the delivery of real-time media streams over IP networks, such as in video streaming and video-surveillance systems.
The method of gaining initial access to systems infected by Krasue is unclear, though likely pathways include vulnerability exploitation or credential brute-force attacks. Another, albeit less likely, option for initial access could be that the RAT is downloaded as part of a deceptive package or binary — such as a fake product update — from a malicious third-party source, the researchers added.
While Group-IB observed the RAT being used mainly to target the telecom sector, the researchers believe that organizations in other verticals also were likely targets. Its also likely that Krasue was deployed later in the attack chain once a cybercriminal already has intruded on a targeted network.
Given its combination of stealthy characteristics, its no surprise that Krasue RAT has lurked undetected for two years, the researchers said. Some of these techniques lie in the use and functionality of the Krasue rootkit, which is a Linux Kernel Module (LKM), or an object file that can be dynamically loaded into the kernel at runtime.
On an infected system, the rootkit masquerades as a VMware driver without a valid digital signature. Because of its nature as an LKM, the rootkit, which targets Linux kernel versions 2.6x/3.10.x, extends the functionality of
the kernel
without having to recompile or modify the entire kernel source code. Moreover, during the initialization phase, the rootkit conceals its own presence, then proceeds to hook the

kill() syscall, network-related functions, and file-listing operations, thereby obscuring its activities.
Another reason Krasue has managed to evade detection is that it uses UPX packing. Packed malware samples typically are more difficult to detect by security solutions, and older Linux servers often have poor endpoint detection and response (EDR) coverage anyway, the researchers said.
The
RAT
also enhances its evasion capabilities by daemonizing itself, running as a background process, and disregarding SIGINT signals, the last of which means that the malware remains unaffected by interruption signals sent when the user terminates the process by pressing Ctrl-C.
Krasue also has features to obscure its communications with the command-and-control (C2) network, including using nine hardcoded IP addresses for its master C2 and its aforementioned use of RTSP for communication — which is rare for cybercriminals — among them, Low said.
Krasue will always attempt to connect to the internal addresses initially, she explained in the post. Only after multiple non-replies and trying to connect to server after server, it will attempt to connect 128[.]199[.]226[.]11 at port 554, which is a port commonly used for RTSP. This is notable because while malware developers typically make a concerted effort to disguise network traffic, using RTSP for this purpose is highly uncommon.
Group-IB made a number of recommendations for security professionals to alert them of potential infection by Krasue RAT. One is to be on the lookout for anomalous RTSP traffic, which could alert to the existence of the malware on a system.
The researchers also recommended that organizations download software and packages only from trusted and official sources, using reputable repositories provided by
their Linux distribution
or verified third-party sources with a strong reputation for security.
Administrators also should enable kernel module signature verification by configuring the Linux kernel to only load signed modules. This ensures that only modules with a valid digital signature from a trusted source can be loaded, Low wrote.
Other security steps administrators can take to avoid compromise is to monitor system and network logs — regularly reviewing them for any suspicious activities — as well as to conduct periodic security audits.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms