Quasar Linux RAT Steals Developer Credentials to Compromise Software Supply Chain
A previously unwritten Linux installation with code Quasar Linux RAT (QLNX) It targets developer systems to establish a secure environment and targets a wide range of post-compromise operations, such as data harvesting, key entry, file manipulation, clipboard monitoring, and network tunneling.
“QLNX targets developers and DevOps professionals across the entire software supply chain,” said Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim in a technical analysis of the malware.
“Its credential harvester extracts secrets from high-value files such as .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform . CLI, tokensb. Compromise of these assets may allow the user to inject malicious packages into the registry for NPM or PyPI, access to cloud infrastructure, or pivot through CI/CD pipelines.”
The ability of malware to systematically harvest a wide variety of credentials poses a serious threat to developer environments. A threat actor who successfully deploys QLNX against a package maintainer gains unauthorized access to its publishing pipeline, allowing the attacker to push poisoned versions that could lead to downstream.
QLNX executes fileless from memory, impersonates a kernel thread (eg, kworker or ksoftirqd), and can profile a host to detect containerized environments, wipe system logs to cover tracks, and stop persistence using no less than seven different methods, including systemd, crontab, and bash injection.
In addition, it filters the data collected from the infrastructure controlled by the attacker, and finds commands that make it possible to execute shell commands, manage files, enter code into processes, take screenshots, enter keystrokes, establish SOCKS proxies and TCP pipes, use Beacon Object Files (BOFs), and even manage a meshP-to-peer network (peer-P2).
How the malware is delivered is unclear. However, once the foothold is established, it enters the first phase of operation through a continuous loop that continuously attempts to establish and maintain communication with the command and control server (C2) via TCP, HTTPS, and raw HTTP. In total, QLNX supports 58 different commands that give the operator complete control over the vulnerable host.
QLNX also comes with a Pluggable Authentication Module (PAM) inline-hook backdoor that captures plain-text credentials during authentication events, encrypts outgoing SSH session data, and forwards the data to the C2 server. The malware also supports a second PAM-based recorder that is automatically loaded into every dynamically connected process to extract the service name, username, and authentication token.
It uses a two-tiered rootkit architecture: a userland rootkit implemented in the LD_PRELOAD method of the Linux dynamic linker to ensure that installation artifacts and processes remain hidden. There is also a kernel-level eBPF component that uses the BPF subsystem to hide processes, files, and network ports from common userland tools such as ps, ls, and netstat when receiving instructions from the C2 server.
“QLNX implants are designed for long-term hacking and data theft,” Trend Micro said. “What makes it so dangerous is not a single feature, but how its capabilities combine into a coherent performance attack: access, remove from disk, persist in six redundant methods, hide at both the user level and the kernel level, and harvest the most important information.”
