Back

Quasar Linux (QLNX) Malware Targets Software Developers for Supply Chain Attacks

Severity: High (Score: 67.5)

Sources: Bleepingcomputer, Trendmicro

Summary

Quasar Linux (QLNX) is a newly discovered Linux remote access trojan (RAT) targeting software developers. It features rootkit capabilities, credential harvesting, and stealth mechanisms, making it suitable for supply chain attacks. The malware operates in development environments such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. Researchers from Trend Micro found that QLNX can dynamically compile malicious modules on infected systems and employs multiple persistence techniques to maintain access. It has a low detection rate, with only four security solutions currently flagging it as malicious. The malware's design allows attackers to inject trojanized packages into legitimate repositories, potentially affecting a wide range of users. Trend Micro has provided indicators of compromise (IoCs) to assist in detection and mitigation efforts. The specific volume of QLNX deployments and any attributed attacks remain unclear. Key Points: • Quasar Linux (QLNX) is a sophisticated Linux RAT designed for stealth and persistence. • The malware targets developer environments and can facilitate supply chain attacks by trojanizing packages. • Only four security solutions currently detect QLNX, highlighting its low detection rate.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Supply Chain Attack (attack_type)
  • ip-api.com (domain)
  • ld.so (domain)
  • libsecurity.so (domain)
  • Quasar Linux (malware)
  • 70f70743f287a837d17c56933152a8a6 (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • AWS (company)
  • Docker (tool)
  • Npm (tool)
  • GitHub (platform)
  • Kubernetes (platform)
  • Linux (platform)
  • PyPI (platform)
  • b0f2c668cbdd63a871c90592b6c93e931115872e (sha1)
  • 417430b2d4ae8d005224a9ff5dcb4007d452338acbcbcbb62c4e8ed1a70552dd (sha256)
  • 42D0C420EB5FE181388F2E4F0B7D7C0D302971E7A06FDC1BEC481B68C8CCAE1F (sha256)
  • 82DAA93219BA40A6E41CDF3174BA57EB5D3383D1CD805584E9954EB0200182A1 (sha256)
  • C99CF0DC1EF1057D713CB082ACAF42E4DF4656809C91741752BDDCAB39BBFACA (sha256)
  • d55549d5655e2f202e215676f4bdb0994ea08a93d15ec4ded413f64cfa7facc8 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed