New Quasar Linux implant targets developers with rootkit and backdoor capabilities

As reported by Bleeping Computer, a new Linux implant named Quasar Linux (QLNX) has been identified, specifically targeting developers' systems with a sophisticated combination of rootkit, backdoor, and credential-stealing functionalities.

QLNX is designed for stealth and long-term persistence, operating in-memory and employing multiple techniques to evade detection, including log wiping, process spoofing, and the use of seven distinct persistence mechanisms. The malware is deployed in development and DevOps environments across platforms like npm, PyPI, GitHub, AWS, Docker, and Kubernetes, posing a significant supply-chain risk.

Researchers at Trend Micro found that QLNX dynamically compiles its rootkit and backdoor modules on the target host. Its capabilities include a RAT core for remote control, a dual-layer rootkit (userland and kernel-level eBPF), a credential access layer for harvesting sensitive information like SSH keys and cloud configurations, and surveillance modules for keylogging and screenshotting. The implant also facilitates networking, lateral movement, and real-time filesystem monitoring.

By targeting developer workstations, attackers can bypass enterprise security controls and gain access to credentials vital for software delivery pipelines, mirroring recent supply-chain incidents where compromised developer accounts were used to publish malicious packages.

Source: Bleeping Computer