Introduction to Quasar Linux Malware
A previously undocumented Linux implant, Quasar Linux (QLNX), has been discovered targeting developers' systems with a mix of rootkit, backdoor, and credential-stealing capabilities. This malware kit is deployed in development and DevOps environments, including npm, PyPI, GitHub, AWS, Docker, and Kubernetes, which could enable supply-chain attacks where the threat actor publishes malicious packages on code distribution platforms.
Analysis of Quasar Linux Malware
Researchers at cybersecurity company Trend Micro analyzed the QLNX implant and found that it dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc (GNU Compiler Collection). The malware is designed for stealth and long-term persistence, as it runs in-memory, deletes the original binary from disk, wipes logs, spoofs process names, and clears forensic environment variables.
Persistence Mechanisms
The malware uses seven distinct persistence mechanisms, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and ‘.bashrc’ injection, ensuring it loads into every dynamically linked process and respawns if killed. These mechanisms allow QLNX to maintain its presence on the infected system.
Functional Blocks of Quasar Linux Malware
QLNX features multiple functional blocks dedicated to specific activities, making it a complete attack tool. Its core components can be summarized as follows:
- RAT core: Central control component built around a 58-command framework that provides interactive shell access, file and process management, system control, and network operations, while maintaining persistent communication with the C2 over custom TCP/TLS or HTTP/S channels.
- Rootkit: Dual-layer stealth mechanism combining a userland LD_PRELOAD rootkit and a kernel-level eBPF component. The userland layer hooks libc functions to hide files, processes, and malware artifacts, while the eBPF layer conceals PIDs, file paths, and network ports at the kernel level.
- Credential access layer: Combines credential harvesting (SSH keys, browsers, cloud and developer configs, /etc/shadow, clipboard) with PAM-based backdoors that intercept and log plaintext authentication data.
- Surveillance module: Keylogging, screenshot capture, and clipboard monitoring.
- Networking and lateral movement: TCP tunneling, SOCKS proxy, port scanning, SSH-based lateral movement, and peer-to-peer mesh networking.
- Execution and injection engine: Process injection (ptrace, /proc/pid/mem) and in-memory execution of payloads (shared objects, BOF/COFF).
- Filesystem monitoring: Real-time tracking of file activity via inotify.
Impact of Quasar Linux Malware
By targeting developer workstations, attackers can bypass enterprise security controls and access the credentials that underpin software delivery pipelines. This approach mirrors recent supply chain incidents in which stolen developer credentials were used to publish trojanized packages to public repositories.
Detection and Protection
Trend Micro has not provided details about specific attacks or any attribution for QLNX, so the deployment volume and specific activity levels of this new malware are unclear. At the time of publication, the Quasar Linux implant is detected by only four security solutions, which flag its binary as malicious. Trend Micro has provided indicators of compromise (IoCs) to help defenders detect QLNX infections and protect against them.
99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
It is essential for developers and organizations to be aware of the Quasar Linux malware and take necessary precautions to protect themselves from potential attacks.
Source: BleepingComputer