Trojan Alert: Linux Devices Repurposed as Proxy Servers in Large-Scale Attack

by Dan Goodin
13 Dec 2023

"Proxy & VPN Virtuoso. With a decade in the trenches of online privacy, Dan is your go-to guru for all things proxy and VPN. His sharp insights and candid reviews cut through the digital fog, guiding you to secure, anonymous browsing."

Implications of Linux Trojan Attack
Linux Trojan Attack converts infected devices into proxy servers without the users’ knowledge.

Security experts have recently uncovered a sophisticated Trojan targeting Linux systems. The malware, designed to exploit specific vulnerabilities in Linux, converts infected devices into proxy servers without the users’ knowledge. This contributes to the creation of a large-scale proxy network, which could potentially mask cybercriminal activities. The Trojan gains unauthorized access to Linux devices and subtly alters their operations, making them part of a wider network used for redirecting internet traffic.

Attack Quick Facts

  • A new type of malware, specifically a remote access trojan (RAT) named Krasue, has been identified as a serious threat to Linux systems. This malware is notably targeting organizations within the telecommunications sector in Thailand. Its primary objective is to establish and maintain control over the affected Linux systems.
  • Krasue distinguishes itself with its ability to remain undetected. Embedded within its code is a sophisticated rootkit — a type of Linux Kernel Module (LKM) that disguises itself as an innocuous VMware driver. This camouflage makes the rootkit particularly difficult to identify and eradicate, given its deep integration with the operating system’s core functionalities.
  • The malware’s rootkit component is engineered to be compatible with various versions of the Linux kernel, especially older versions like 2.6x and 3.10.x. This backward compatibility is a strategic choice, as older systems often lack robust detection and response mechanisms, making them easier targets for covert operations.
  • The architecture of the Krasue rootkit reveals its lineage to three previously known open-source LKM rootkits that have been publicly accessible since 2017. This may indicate that Krasue’s developers may have integrated existing malicious technologies into their design.
  • Krasue is equipped with a variety of functionalities to manipulate the compromised system. It can alter network configurations to hide or reveal specific ports, manipulate process visibility, escalate privileges to the highest level, and terminate processes as required. It can also conceal its traces, further hindering detection efforts.
  • A unique aspect of Krasue is its use of the Real Time Streaming Protocol (RTSP) for command and control (C2) communications. This is an unusual choice for malware C2 channels and demonstrates the Trojan’s sophisticated approach to maintaining covert communications.
  • Though the exact origins and methods of initial infection by Krasue remain unclear, there are observable similarities in its codebase with another known Linux malware, XorDdos. This suggests possible shared origins or development techniques between the two malware types.

Learn more about malicious proxy servers and how to defend yourself against proxy hacking. 

What Does That Mean for Linux?

The implications of this attack are far-reaching. It not only compromises the integrity of the infected devices but also poses significant risks for the networks to which these devices are connected. The redirected traffic could be used for various nefarious purposes. This includes distributing malware, launching further cyber attacks, and facilitating anonymous communication for illegal activities. Here’s a breakdown of all the issues that arose as a result of the attack:

  • Compromised integrity and network risks: Once a Linux device is infected, it becomes part of a malicious network, potentially compromising the entire network to which it is connected.
  • Potential for malicious use: The Trojan’s ability to redirect traffic through these compromised devices opens up several avenues for misuse. This traffic redirection can be harnessed for distributing further malware, amplifying the scale of cyberattacks.
  • Threat to corporate and individual privacy: The possibility that sensitive data could be intercepted or manipulated through compromised devices adds another layer of risk, especially in sectors handling critical data.
  • Challenges in detection and removal: Due to the stealthy nature of the Krasue rootkit, detection and removal of the Trojan from infected Linux systems are challenging.
  • Reevaluation of Linux security protocols: The attack calls for a reevaluation of existing security protocols within Linux environments. Organizations might need to invest more in cybersecurity training for their IT staff and consider employing more robust intrusion detection and prevention systems.

Key Takeaways

Experts strongly advise Linux users to enhance their cybersecurity measures. This includes regular software updates, rigorous network monitoring, and employing robust firewall protections. Plus, heightened awareness and education about these types of cyber threats are crucial for both individual users and organizations.

But what about regular users? A full list of security measures Linux users are recommended to take includes:

  • Regular software updates
  • Rigorous network monitoring
  • Robust firewall protections
  • Strong passwords and 2FA
  • Least privilege principle
  • Data encryption
  • Maintaining up-to-date images
  • Secure and monitor network activity

Final Thoughts

As cybercriminals become more sophisticated, so must our defenses against them. The cybersecurity community is actively working to analyze and counter the Trojan threat, but the situation certainly underscores the importance of proactive and comprehensive security strategies in today’s interconnected world.

We use cookies on our site to ensure that we give you the best browsing experience. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.

Got IT

We added this proxy to compare list