Stealthy Linux Rootkit Found in the Wild After Going Undetected for 2 Years
Arthur T Knackerbracket has processed the following story:
Stealthy and multifunctional Linux malware that has been infecting telecommunications companies went largely unnoticed for two years until being documented for the first time by researchers on Thursday.
Researchers from security firm Group-IB have named the remote access trojan Krasue," after a nocturnal spirit depicted in Southeast Asian folklore floating in mid-air, with no torso, just her intestines hanging from below her chin." The researchers chose the name because evidence to date shows it almost exclusively targets victims in Thailand and poses a severe risk to critical systems and sensitive data given that it is able to grant attackers remote access to the targeted network.
[...] During the initialization phase, the rootkit conceals its own presence. It then proceeds to hook the `kill()` syscall, network-related functions, and file listing operations, thereby obscuring its activities and evading detection.
The researchers have so far been unable to determine precisely how Krasue gets installed. Possible infection vectors include through vulnerability exploitation, credential-stealing or -guessing attacks, or by unwittingly being installed as trojan stashed in an installation file or update masquerading as legitimate software.
Besides the rootkit functions, Krasue features an installation file that's shielded inside a UPX, a so-called packer that provides a cryptographic wrapper around the main executable that can stymie detection by anti-virus software. The Group-IB post provides indicators of compromise and digital characteristics for detecting infected systems.
Read more of this story at SoylentNews.