Cybersecurity pioneer Group-IB has exposed a new Linux Remote Access Trojan (RAT), known as Krasue, being used covertly by cyber criminals to infiltrate company networks based solely within Thailand.
The Trojan, named after a nocturnal spirit from Thai mythology by the Group-IB Threat Intelligence unit, has been active since at least 2021 and was initially used against telecommunication companies in the nation.
The RAT's primary function is to maintain access to a targeted network, employing tactics such as vulnerability exploitation, credential brute force attacks, or deceptive package downloads, according to Group-IB.
On discovery of this threat, Group-IB swiftly notified their Threat Intelligence customers and published YARA rules on their blog to aid organisations in actively seeking out this threat.
Krasue's rootkit, key to the attack's success, shares characteristics with open-source Linux Kernel Module rootkits and shows multiple similarities to another Linux malware, XorDdos. This correlation suggests a likely connection between the two malicious entities.
The deployment of this malware could be part of a botnet strategy or potentially offering access to Krasue to other cyber criminal guilds like ransomware gangs, by initial access brokers (IAB).
According to Benyatip Hongto, Group-IB's Business Development Manager in Thailand, the timely response to this discovery was integral in combating this threat.
He stressed, "Group-IB's rapid response upon discovery of this malware and information sharing with ThaiCERT and TTC-CERT are vital steps towards countering this threat. Group-IB will continue to monitor Krasues spread both within Thailand and in other geographies, and take all measures to proactively inform affected parties."
In order to intensify their response to increasing cyber risks in Thailand, Group-IB has announced plans to launch a Digital Crime Resistance Center in the country in March 2023. This move aims to bolster their dedication to the promotion and enhancement of cybersecurity capabilities within Thailand and beyond.
The Group has also joined forces with major Thai organisations including nForce and the Defence Technology Institute, hoping to boost shared knowledge and collaboration in cybersecurity practices.
Building on this momentum, Group-IB signed a memorandum of understanding with theDefence Technology Institute, a government agency under the supervision of the Minister of Defence of Thailand, in May 2023, to enhance knowledge sharing and collaboration in the development of the Defense Technology Institute Cyber Academy Program.
Hongto reaffirmed that the disclosure of this sophisticated malware targeting Thailand-based organisations underlines the need for constant vigilance and proaction to thwart such threats.