Suspected to be using the RSTP protocol for evasion and communications, the remote access trojan is similar to the XorDdos RAT.

Cybercriminals have been leveraging a new Linux remote access trojan (RAT) to stealthily maintain access to the networks of targeted firms based in Thailand.

Found to have been active since at least 2021, the RAT had remained under the radar until recently.

At this stage, researchers from Group-IB can confirm that the RAT, dubbed Krasue (a female spirit),has beenused against telecommunications firms in Thailand, although it has likely been part of attacks against organizations in other verticals.

Krasue’s capabilities

At the heart of that newly unearthed RAT is its rootkit, based on three open-source, publicly-available Linux Kernel Module rootkits and seven others — meaning different versions of Linux can be targeted.

The rootkit also contains multiple similarities with XorDdos, another Linux malware. As a result, Group-IB experts believe that Krasue was either created by the same author as XorDdos, or by an individual who had access to XorDdos’ source code. Krasue’s functionalities in 2023 include:

    • The ability to maintain access to a targeted network: the initial infection vector and the full scale of its usage have not been determined, but the Linux RAT could likely enter systems via vulnerability exploitation, credential brute force attacks, or more uncommonly, be downloaded as part of a deceptive package or binary from a third-party source.
    • The ability to conceal its own presence during the initialization phase, meaning that it can evade detection.
    • Deployment as part of a botnet, or as part of ransomware offerings by initial access brokers.
    • The use of Real Time Streaming Protocol (RSTP) to communicate with its master command and control (C2 server) suspect to provide detection evasion, although researchers have noted that using RTSP for this purpose is highly uncommon.

Upon discovering Krasue, the firm’s customers as well as the Thailand Computer Emergency Response Team (ThaiCERT) and the Thailand Telecommunications Sector Computer Emergency Response Team (TTC-CERT) were promptly notified. A full list of YARA rules for detection has been made public.

According to Benyatip Hongto, Group-IB’s Business Development Manager in Thailand: “Group-IB will continue to monitor Krasue’s spread both within Thailand and in other geographies, and take all measures to proactively inform affected parties.”