Stealthy Quasar: The Malware Threat Targeting Software Developers

A newly discovered Linux implant known as Quasar Linux (QLNX) has been found to target developers’ systems with a combination of rootkit, backdoor, and credential-stealing capabilities.

This malicious software kit is being distributed in development and DevOps environments through platforms such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. This poses a significant threat as it could lead to supply-chain attacks where the attacker publishes harmful packages on code distribution platforms.

Security experts at Trend Micro have analyzed the QLNX implant and revealed that it has the ability to dynamically compile rootkit shared objects and PAM backdoor modules on the targeted host using the GNU Compiler Collection (gcc).

The report from Trend Micro highlights that QLNX is designed for stealth and long-term persistence, operating in-memory and deleting the original binary from the disk. It also clears logs, changes process names, and eliminates forensic environment variables.

The malware utilizes seven different persistence mechanisms, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and ‘.bashrc’ injection, ensuring that it loads into every dynamically linked process and restarts if terminated.

The core components of QLNX consist of a RAT core, rootkit, credential access layer, surveillance module, networking and lateral movement capabilities, execution and injection engine, and filesystem monitoring. These components work together to create a comprehensive attack tool.

Upon gaining initial access, QLNX establishes a fileless foothold, deploys persistence and stealth mechanisms, and proceeds to harvest developer and cloud credentials. By targeting developer workstations, attackers are able to evade enterprise security controls and access valuable credentials crucial for software delivery pipelines.

This approach is reminiscent of recent supply chain incidents where stolen developer credentials were used to distribute trojanized packages on public repositories.

While Trend Micro has not provided specific details about attacks or attributed QLNX to any particular group, they have shared indicators of compromise (IoCs) to assist defenders in detecting and protecting against QLNX infections.

As of now, only four security solutions are able to detect the Quasar Linux implant, flagging its binary as malicious. Trend Micro advises organizations to remain vigilant and utilize the provided IoCs to safeguard against potential infections.