A newly identified malware, Quasar Linux RAT (QLNX), is actively targeting developer environments, posing a threat to software supply chains. The malware aims to infiltrate systems without detection, performing actions such as credential theft, keylogging, and network tunneling. Researchers from Trend Micro, Aliakbar Zahravi and Ahmed Mohamed Ibrahim, have detailed the malware’s capabilities, highlighting its focus on compromising developer and DevOps credentials.
Credential Harvesting Capabilities
Quasar Linux RAT is specifically designed to extract sensitive information from high-value files. This includes credentials stored in .npmrc, .pypirc, .git-credentials, and other critical configuration files used in development environments. Such access enables attackers to potentially distribute malicious packages on platforms like NPM or PyPI and infiltrate cloud infrastructure, posing severe risks to the integrity of software supply chains.
The malware’s credential theft is not limited to a single method; it systematically exploits various entry points to gain unauthorized access. By doing so, attackers can manipulate publishing pipelines, introducing compromised software versions that could have widespread negative consequences.
Stealth and Persistence Mechanisms
Operating stealthily, QLNX executes from memory, disguising itself as legitimate kernel threads to avoid detection. It profiles host systems to identify containerized environments and employs multiple strategies to establish persistence, including systemd, crontab, and .bashrc modifications. This ensures the malware remains active over extended periods, even after system reboots.
In addition, the malware utilizes a Pluggable Authentication Module (PAM) backdoor to capture plaintext credentials during authentication processes. It logs and transmits SSH session data to an external server, further broadening its reach and control over compromised systems.
Comprehensive Control and Concealment
Quasar Linux RAT is capable of executing 58 different commands, providing attackers with full control over victim systems. It maintains communication with a command-and-control (C2) server using various protocols, including raw TCP, HTTPS, and HTTP, facilitating ongoing interaction and data exfiltration.
The malware employs a two-tiered rootkit architecture, utilizing both userland and kernel-level components to hide its presence. By leveraging the Linux dynamic linker and eBPF subsystem, it conceals its operations from standard monitoring tools, ensuring that its activities remain undetected.
Trend Micro’s analysis underscores the sophisticated nature of QLNX, which integrates multiple attack techniques into a seamless workflow. This combination of stealth, persistence, and credential harvesting makes it a formidable threat to developers and software supply chains worldwide.
