Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

Source: The Hacker News

A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers’ systems to establish a silent foothold and facilitate a broad range of post‑compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling.

“QLNX targets developers and DevOps credentials across the software supply chain,” Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a technical analysis of the malware.
— Trend Micro Research

Credential Harvesting

QLNX extracts secrets from high‑value files, including:

• .npmrc (npm tokens)
• .pypirc (PyPI credentials)
• .git-credentials
• .aws/credentials
• .kube/config
• .docker/config.json
• .vault-token
• Terraform credentials
• GitHub CLI tokens
• .env files

Compromise of these assets could allow the operator to:

• Push malicious packages to NPM or PyPI registries
• Access cloud infrastructure
• Pivot through CI/CD pipelines

Image: Image of Kubernetes configuration

Persistence Mechanisms

QLNX executes filelessly from memory, masquerading as a kernel thread (e.g., kworker or ksoftirqd). It profiles the host to detect containerized environments, wipes system logs, and establishes persistence using seven different methods, including:

• systemd unit files
• crontab entries
• .bashrc shell injection

Command and Control

The implant maintains a persistent loop that continuously attempts to communicate with its C2 server over raw TCP, HTTPS, and HTTP. It supports 58 distinct commands, enabling operators to:

• Execute arbitrary shell commands
• Manage files and inject code into processes
• Capture screenshots and log keystrokes
• Establish SOCKS proxies and TCP tunnels
• Run Beacon Object Files (BOFs)
• Manage a peer‑to‑peer (P2P) mesh network

Pluggable Authentication Module (PAM) Backdoors

QLNX includes two PAM‑based components:

1. An inline‑hook backdoor that intercepts plaintext credentials during authentication events, logs outbound SSH session data, and transmits it to the C2 server.
2. A second credentials logger automatically loaded into every dynamically linked process to extract service name, username, and authentication token.

Image: ThreatLocker illustration

Rootkit Architecture

QLNX employs a two‑tiered rootkit:

• Userland rootkit deployed via the Linux dynamic linker’s LD_PRELOAD mechanism to hide the implant’s artifacts and processes.
• Kernel‑level eBPF component that uses the BPF subsystem to conceal processes, files, and network ports from standard tools (ps, ls, netstat) upon receiving instructions from the C2 server.

Impact

The malware’s ability to systematically harvest a wide range of credentials poses a severe risk to developer environments. A threat actor who successfully deploys QLNX against a package maintainer gains unauthorized access to the publishing pipeline, allowing the attacker to push poisoned versions that can cause cascading downstream impacts across the software supply chain.

“The QLNX implant was built for long‑term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through multiple redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.”
— Trend Micro

Images sourced from the original article.