"QLNX targets developers and DevOps credentials across the software supply chain. Its credential harvester extracts secrets from high-value files such as .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files. The compromise of these assets could allow the operator to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines."
"QLNX executes filelessly from memory, masquerades itself as a kernel thread (e.g., kworker or ksoftirqd), and is capable of profiling the host to detect containerized environments, wiping system logs to cover up the tracks, and setting up persistence using no less than seven different methods, including systemd, crontab, and .bashrc shell injection."
"Furthermore, it exfiltrates the collected data to an attacker-controlled infrastructure, and receives commands that make it possible to execute shell commands, manage files, inject code into processes, take screenshots, log keystrokes, establish SOCKS proxies and TCP tunnels, run Beacon Object Files (BOFs), and even manage a pe"
Quasar Linux RAT (QLNX) is a Linux implant that targets developers and DevOps environments to gain a silent foothold and support post-compromise capabilities. It harvests secrets from high-value files such as npm, PyPI, Git, cloud, Kubernetes, Docker, Vault, Terraform, GitHub CLI, and environment files. Compromise of these assets can enable access to cloud infrastructure, pivoting through CI/CD pipelines, and pushing malicious packages to registries. The malware executes filelessly from memory, masquerades as kernel threads, profiles hosts to detect containerized environments, wipes system logs, and establishes persistence using multiple methods including systemd, crontab, and shell injection. It exfiltrates collected data and supports remote command execution, file operations, code injection, screenshots, keystroke logging, and network tunneling via SOCKS proxies and TCP tunnels.
#linux-malware #credential-harvesting #developer-supply-chain-attacks #persistence-and-stealth #network-tunneling
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]