Back

Quasar Linux (QLNX) Malware Targets Developers in Supply Chain Attacks

Severity: High (Score: 72.5)

Sources: Trendmicro, Bleepingcomputer

Summary

Quasar Linux (QLNX) is a newly discovered Linux remote access trojan (RAT) that targets software developers' systems. This malware features a mix of rootkit, backdoor, and credential-stealing capabilities, making it particularly dangerous in development environments. It is designed to operate stealthily, utilizing techniques such as in-memory execution and log deletion to evade detection. QLNX can compromise developer credentials for platforms like npm, PyPI, GitHub, AWS, Docker, and Kubernetes, potentially enabling supply-chain attacks through trojanized packages. Researchers at Trend Micro have identified that QLNX employs seven distinct persistence mechanisms to maintain its foothold. Currently, it is detected by only four security solutions, indicating a low detection rate. The specific volume of QLNX deployments and any attributed attacks remain unclear. Trend Micro has provided indicators of compromise (IoCs) to assist defenders in identifying and mitigating QLNX infections. Key Points: • Quasar Linux (QLNX) is a sophisticated Linux RAT targeting software developers. • The malware employs stealth techniques and multiple persistence mechanisms to evade detection. • QLNX can facilitate supply-chain attacks by compromising developer credentials on major platforms.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Supply Chain Attack (attack_type)
  • ip-api.com (domain)
  • ld.so (domain)
  • libsecurity.so (domain)
  • Quasar Linux (malware)
  • 70f70743f287a837d17c56933152a8a6 (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • AWS (company)
  • Docker (tool)
  • Npm (tool)
  • GitHub (platform)
  • Kubernetes (platform)
  • Linux (platform)
  • PyPI (platform)
  • b0f2c668cbdd63a871c90592b6c93e931115872e (sha1)
  • 417430b2d4ae8d005224a9ff5dcb4007d452338acbcbcbb62c4e8ed1a70552dd (sha256)
  • 42D0C420EB5FE181388F2E4F0B7D7C0D302971E7A06FDC1BEC481B68C8CCAE1F (sha256)
  • 82DAA93219BA40A6E41CDF3174BA57EB5D3383D1CD805584E9954EB0200182A1 (sha256)
  • C99CF0DC1EF1057D713CB082ACAF42E4DF4656809C91741752BDDCAB39BBFACA (sha256)
  • d55549d5655e2f202e215676f4bdb0994ea08a93d15ec4ded413f64cfa7facc8 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed