Thai telecoms’ Linux systems subjected to Krasue RAT compromise

BleepingComputer reports that telecommunications firms in Thailand had their Linux systems stealthily compromised with the Krasue remote access trojan, which sought persistent host access, since 2021. Details regarding Krasue RAT's distribution method remain unclear, but the malware had seven different kernel-level rootkit variants within its binary, one of which spoofs an unsigned VMware driver, a report from Group-IB revealed. Similar system call and function call hooking features were discovered across all rootkit variants, which were based on the open-source Diamorphine, Rooty, and Suterusu rootkits. Aside from supporting six commands, including those for restarting the child and main processes, Krasue RAT also had nine different hardcoded command-and-control IP addresses, one of which leveraged port 554 prevalent in Real Time Streaming Protocol connections that is unusual in malware. Despite uncertainties regarding the origins of Krasue RAT, the malware's rootkit had similarities with the XorDdos Linux malware's rootkit, suggesting the same operator between both malware strains.