The Quasar Linux RAT (QLNX) is a sophisticated piece of malware designed to target developers and DevOps professionals, aiming to establish a silent and persistent presence on their systems. What sets QLNX apart is its ability to harvest a wide range of credentials, from npm tokens to AWS credentials, which could have devastating consequences for software supply chains.
One of the most alarming aspects of QLNX is its fileless execution and masquerade as a kernel thread, making it difficult to detect. It can profile the host to identify containerized environments, wipe system logs, and set up persistence using multiple methods, including systemd, crontab, and .bashrc shell injection. This level of stealth and persistence is concerning, as it allows the malware to operate undetected for extended periods.
The malware's command-and-control (C2) server capabilities are extensive, enabling operators to execute shell commands, manage files, inject code into processes, take screenshots, log keystrokes, establish SOCKS proxies and TCP tunnels, run Beacon Object Files (BOFs), and even manage a peer-to-peer (P2P) mesh network. With 58 distinct commands, the operators have complete control over the compromised host.
What makes QLNX particularly dangerous is its two-tiered rootkit architecture. A userland rootkit is deployed through the Linux dynamic linker's LD_PRELOAD mechanism, ensuring the implant's artifacts and processes remain hidden. Additionally, a kernel-level eBPF component uses the BPF subsystem to conceal processes, files, and network ports from standard userland tools, further enhancing the malware's stealth capabilities.
The malware's credential harvesting capabilities are extensive, targeting high-value files such as .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files. The compromise of these assets could lead to malicious package pushes to NPM or PyPI registries, unauthorized access to cloud infrastructure, and pivoting through CI/CD pipelines.
In my opinion, the Quasar Linux RAT is a significant threat to the software development community. Its ability to silently establish a foothold, harvest credentials, and maintain persistence makes it a formidable tool for attackers. Developers and DevOps professionals must be vigilant and proactive in their security measures to protect their systems and data from such sophisticated malware.
