The previously undocumented Linux implant, codenamed Quasar Linux RAT (QLNX), targets developers’ systems to not only establish a silent foothold, but also facilitate a wide range of post-compromise functions, including credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling.
“QLNX targets developers and DevOps credentials across the software supply chain,” Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a technical analysis of the malware.
“Its credential harvester extracts secrets from high-value files such as .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env. Once these assets are compromised, operators can download malicious packages to NPM Or it might be possible to push to a PyPI registry, access cloud infrastructure, or go through a CI/CD pipeline.”
This malware poses a significant risk to development environments due to its ability to systematically collect a wide range of credentials. An attacker who successfully deploys QLNX to a package administrator could gain unauthorized access to the publishing pipeline, allowing the attacker to push a malicious version, potentially causing cascading downstream effects.
QLNX runs fileless from memory, disguises itself as a kernel thread (such as kworker or ksoftirqd), can profile hosts to detect containerized environments, hide its tracks by erasing system logs, and configure persistence using over seven different methods, including systemd, crontab, and .bashrc shell injection.
It then receives commands that exfiltrate the collected data to attacker-controlled infrastructure, allowing it to execute shell commands, manage files, inject code into processes, take screenshots, log keystrokes, establish SOCKS proxies and TCP tunnels, execute beacon object files (BOFs), and even manage peer-to-peer (P2P) mesh networks.
Exactly how the malware is distributed is unknown. However, once a foothold is established, it enters a major operational phase by running a persistent loop that continually attempts to establish and maintain communication with the command and control (C2) server via raw TCP, HTTPS, and HTTP. QLNX supports a total of 58 different commands, giving operators complete control over compromised hosts.
QLNX also comes with a Pluggable Authentication Module (PAM) inline hook backdoor that intercepts cleartext credentials during authentication events, logs outbound SSH session data, and sends that data to a C2 server. The malware also supports a second PAM-based credential logger that is automatically loaded into all dynamically linked processes to extract service names, usernames, and authentication tokens.
It employs a two-layer rootkit architecture. Userland rootkits are deployed through the Linux dynamic linker’s LD_PRELOAD mechanism, ensuring that implant artifacts and processes remain hidden. There is also a kernel-level eBPF component that uses the BPF subsystem to hide processes, files, and network ports from standard userland tools such as ps, ls, and netstat when instructions are received from the C2 server.
“The QLNX implant was built for long-term stealth and credential theft,” Trend Micro said. “What makes this particularly dangerous is not a single feature, but how that functionality is chained into a consistent attack workflow: arrival, erasure from disk, persistence through six redundant mechanisms, concealment at both user space and kernel level, and most importantly, credential collection.”
Source link
