A newly discovered Linux backdoor, identified as Quasar Linux (QLNX), poses a significant threat to software developers by targeting their credentials, according to cybersecurity firm Trend Micro. This sophisticated Remote Access Trojan (RAT) employs a modular architecture, integrates multiple persistence and evasion techniques, includes a rootkit, and grants attackers remote access to compromised systems.
Objective of Credential Theft
Trend Micro highlights that QLNX is specifically designed to steal developer credentials, keys, and tokens. This access enables cybercriminals to infiltrate development tools, cloud services, and code repositories. The malware focuses on stealing credentials from platforms like AWS, Kubernetes, Docker Hub, and Git, as well as NPM and PyPI authentication tokens. Such access allows attackers to distribute malicious packages via legitimate developer accounts.
The deployment of QLNX against package maintainers is particularly concerning. Once inside, attackers can compromise the maintainer’s publishing pipeline, allowing them to insert trojans into software packages, introduce backdoors into build artifacts, or even shift into cloud-based production environments.
Advanced Evasion and Persistence Techniques
QLNX demonstrates advanced evasion tactics by executing in memory, spoofing process names, and self-deletion to avoid detection. It conducts system reconnaissance to identify containerized environments, conceals specific processes, ports, and files, and clears system logs to mask its activities.
The malware also employs a Pluggable Authentication Module (PAM) backdoor to gather credentials and extensive system information, including clipboard contents, SSH keys, and browser profiles. Two PAM backdoor implementations are utilized: one for capturing plaintext credentials and logging SSH data, and another for extracting authentication tokens dynamically.
Comprehensive Attack Capabilities
QLNX features a dual-layer rootkit setup, deploying userspace hooks via the LD_PRELOAD shared library for persistence and an eBPF rootkit controller for managing kernel-level BPF maps. This setup allows the malware to hide processes, files, and ports from standard user tools when directed by a command and control server.
For persistence, QLNX can use up to six methods, such as crontab entries, desktop entries, init scripts, service files, and shell lines. These multiple persistence strategies ensure the malware remains active on the system. The RAT supports 58 distinct commands, enabling attackers to perform actions like file manipulation, system reboots, URL openings, and SSH command executions on remote hosts.
In conclusion, the Quasar Linux RAT represents a highly coordinated threat, utilizing its numerous capabilities to achieve stealth and effective credential theft. This makes it a formidable foe in the realm of cybersecurity, particularly for developers and organizations involved in software supply chains.
