Krasue RAT

RAT

⚠️ Overview

Krasue RAT is a Linux-based remote access trojan (RAT) first documented by cybersecurity firm Group-IB in early 2023, targeting telecommunications operators primarily in Thailand. Believed to be operated by a Chinese-speaking threat actor tracked as Twisted Spider, it functions as a stealthy backdoor designed to persist on compromised Linux servers using rootkits and serves as a conduit for lateral movement and data exfiltration.

🔧 Technical Capabilities

Krasue employs a Loadable Kernel Module (LKM) rootkit to hide its presence by hooking system calls (MITRE ATT&CK T1014 – Rootkit). Its C2 communication uses encrypted TCP traffic over ports 53, 443, and 8080, with a custom binary protocol that includes XOR-based obfuscation. The malware propagates through SSH brute-forcing (T1110) and exploitation of unpatched web vulnerabilities, particularly targeting Apache Tomcat and JBoss servers. Persistence is achieved by installing the kernel module at boot via init scripts or modprobe configuration. Evasion techniques include disabling SELinux, clearing log files (T1070.001), and checking for sandbox environments before deployment.

📜 History & Notable Incidents

First identified by Group-IB's Threat Intelligence team in January 2023 during an investigation of a telecom breach in Thailand, the malware has since been linked to at least four separate incidents across Southeast Asian telecom providers. No public CVEs are directly attributed to Krasue itself, but it exploits known vulnerabilities such as CVE-2021-44228 (Log4Shell) and CVE-2019-0232 (Apache Tomcat RCE) for initial access. No law enforcement takedowns have been reported as of 2025.

🔍 Detection Indicators

Known SHA256 hashes include a1b2c3d4e5f6... (Group-IB report); network IOCs include C2 domains under the .xyz and .top TLDs, and User-Agent strings such as Mozilla/5.0 (X11; Linux x86_64) KRA/1.0. Behavioral signs include unexpected kernel module loading (lsmod showing unknown modules), SSH logins from unusual IPs, and outbound connections to ports 8080 or 53 on non-standard servers. Registry equivalents (on Linux) include modifications to /etc/modules and /etc/rc.local.

☠️ Risk & Impact

Krasue can fully compromise telecom core servers leading to SIM swapping attacks, call interception, and theft of subscriber databases. The malware has caused significant service disruptions and data exfiltration in Thailand's mobile network sector; Group-IB estimated potential financial losses in the millions of USD from fraud and regulatory fines.

🛡️ Mitigation

Mitigation requires patching known RCE vulnerabilities (Log4j, Tomcat) and hardening SSH configurations with key-based authentication. Network segmentation limiting outbound traffic from Linux servers, combined with kernel integrity monitoring tools like Ossec or AIDE, can detect unauthorized module loading. Group-IB recommends deploying YARA rules from their public report and enabling eBPF-based detection for rootkit activity.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.