Quasar Linux: the malware that infects DevOps environments with rootkits and backdoors

Quasar Linux: the malware that infects development environments with rootkits, backdoors, and credential theft

A new malware called Quasar Linux (QLNX) is targeting developer systems with a mix of advanced features: rootkits, backdoors, and credential theft. The threat is particularly insidious because it spreads through development and DevOps environments, including npm, PyPI, GitHub, AWS, Docker, and Kubernetes, paving the way for potential supply chain attacks.

Quick Response

A complete kit for advanced attacks

The QLNX implant was analyzed by Trend Micro, which discovered how the malware dynamically compiles rootkits and backdoor modules on the target system using gcc (GNU Compiler Collection). This approach allows the malware to adapt to the victim's specific environment, increasing its effectiveness.

QLNX is designed to operate stealthily and maintain a long-term presence. It performs operations in memory, deletes the original binary from the disk, cleans logs, falsifies process names, and removes forensic environment variables. These features make it extremely difficult to detect and remove.

Multi-level persistence mechanisms

The malware uses seven distinct persistence mechanisms, including LDPRELOAD, systemd, crontab, init.d scripts, XDG autostart, and .bashrc injection. These mechanisms ensure that QLNX is loaded into every dynamically linked process and automatically restarts if terminated.

Key components of the malware

QLNX consists of several functional modules that work together to create a complete attack kit:

• Core RAT: Provides interactive shell access, file and process management, system control, and network operations, maintaining persistent communication with the command and control (C2) server via custom TCP/TLS or HTTP/S channels.
• Rootkit: Combination of a user-level LDPRELOAD rootkit and a kernel-level eBPF component. The user level intercepts libc functions to hide files, processes, and malware artifacts, while the eBPF level hides PIDs, file paths, and network ports at the kernel level.
• Credential Access: Collects SSH keys, browser data, cloud and developer configurations, /etc/shadow files, and clipboard data, as well as intercepting and logging authentication data in plain text via PAM backdoor.
• Surveillance Module: Includes keylogging, screenshot capture, and clipboard monitoring.
• Networking and Lateral Movement: Supports TCP tunneling, SOCKS proxy, port scanning, SSH-based lateral movement, and peer-to-peer mesh networking.
• Execution and Injection Engine: Allows process injection and in-memory execution of payloads (shared objects, BOF/COFF).
• Filesystem Monitoring: Tracks file activities in real-time via inotify.

Implications for supply chain security

By targeting developer workstations, attackers can bypass corporate security controls and access credentials that underpin software distribution pipelines. This approach is similar to recent supply chain incidents where stolen developer credentials were used to publish compromised packages on public repositories.

Detection and protection

As of publication, only four security solutions detect QLNX as malware. Trend Micro has provided indicators of compromise (IoCs) to help identify and mitigate the threat.

The challenges of detection in cloud environments

Another critical aspect is detecting QLNX in cloud environments where developers often work. Cloud infrastructures offer scalability and flexibility but can also complicate the monitoring of suspicious activities. Traditional security solutions may not be sufficient to detect anomalous behaviors in virtualized or containerized environments. This requires the adoption of cloud-specific security tools capable of analyzing network traffic and process activities in real-time.

The importance of training and awareness

In addition to technical solutions, it is crucial to invest in developer training and awareness. Many attacks begin with social engineering or phishing, which exploit a lack of security awareness. Developers should be trained to recognize signs of compromise, such as unusual system behavior or suspicious activities in their development environments. Creating a security culture within organizations is a crucial step in mitigating threats like QLNX.

Potential variants and malware evolution

Given the modular nature of QLNX, it is likely that variants of the malware will emerge with additional features or adapted to specific development environments. Attackers may integrate new evasion techniques to bypass detection mechanisms or add more advanced lateral attack capabilities. This requires a proactive approach from the security community, with continuous threat analysis and defense updates.

The adoption of advanced security frameworks

To address threats like QLNX, organizations should consider adopting advanced security frameworks, such as the Secure Development Lifecycle (SDL) or DevSecOps. These frameworks promote the integration of security at every stage of the development cycle, from ideation to deployment. Implementing automated security controls, such as vulnerability scanners and static code analysis, can help identify and fix vulnerabilities before they can be exploited.

The need for a coordinated response

The complexity and sophistication of QLNX require a coordinated response among security teams, developers, and technology solution providers. Information sharing among organizations is essential to identify new attack vectors and develop effective defense strategies. Collaboration platforms, such as threat intelligence communities, can facilitate the exchange of indicators of compromise and best practices.