TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities

Ahmed Mohamed Ibrahim · 2 days ago · Read original ↗

ATT&CK techniques detected

25 predictions
T1195.001Compromise Software Dependencies and Development Tools
98%
“with low detection, which caught our attention and prompted a deeper investigation. what followed was the discovery of quasar linux ( qlnx ), a previously undocumented linux remote access trojan ( rat ) with rootkit capabilities and a notably minimal detection footprint. threat l…”
T1574.006Dynamic Linker Hijacking
98%
“during enumeration. ld _ preload shared library persistence ld _ preload shared library is a sophisticated persistence method in the arsenal. instead of writing configuration files or scripts, the malware compiles a shared library on the target host, causing the library to be loa…”
T1195.001Compromise Software Dependencies and Development Tools
98%
“network monitoring. this variability creates potential blind spots that make certain developer endpoints highly attractive targets and, critically, makes it much harder to detect a breach after the fact — allowing attackers to maintain silent access for extended periods. qlnx att…”
T1014Rootkit
96%
“or name matching the rootkit ' s hidden list, it returns enoent ( file not found ) or skips the entry, effectively making the target invisible to userland tools : table 9. libc functions hooked by the qlnx userland ld _ preload rootkit and their effects. the hidden names and path…”
T1195.001Compromise Software Dependencies and Development Tools
95%
“that matter most. qlnx systematically targets the files that underpin modern software development and cloud infrastructure :. npmrc ( npm registry tokens ),. pypirc ( pypi upload keys ),. git - credentials,. aws / credentials,. kube / config, and. docker / config. json. these are…”
T1543.002Systemd Service
92%
“keystrokes, establish socks proxies and tcp tunnels, manage a peer - to - peer mesh network, and execute beacon object files ( bofs ). qlnx supports multiple persistence mechanisms across both user and system scopes. these include creating systemd services, adding crontab reboot …”
T1014Rootkit
90%
“fpic ", " - wl, - soname, libsecurity _ utils. so. 1 ", " - o ", " / usr / lib / libsecurity _ utils. so. 1 ", < source >, " - ldl " ) to compile the shared object. - deletes the source file immediately after compilation. - checks whether / etc / ld. so. preload already contains …”
T1574.006Dynamic Linker Hijacking
88%
“design approach and ld _ preload delivery mechanism. both implementations are shipped as embedded c source code rather than precompiled binaries. compiling locally on the target host produces a shared library that matches the target ' s architecture, glibc version, and pam header…”
T1555.003Credentials from Web Browsers
86%
“andauthorized _ keys. - the second pulls login databases and cookies from chrome, chromium, and firefox. - the third walks a hardcoded table of developer and cloud config files including aws credentials and config, kubernetes kubeconfig, docker ' s config. json, git credentials a…”
T1574.006Dynamic Linker Hijacking
86%
“comes back empty and the implant waits for the next cycle. when a command does arrive, the malware decodes and parses it, then looks up the command type in a handler table and routes it to the matching function. the handler executes locally, builds a response packet, and sends th…”
T1055.001Dynamic-link Library Injection
86%
“. before performing this check, it reads the _ mfd _ re environment variable, which serves as a re - execution guard. if the variable is set, it is cleared and the function returns immediately to prevent an infinite execution loop. if neither memory condition is met, the malware …”
T1014Rootkit
78%
“host ' s own gcc. before attempting installation, the handler checks two prerequisites : root privileges ( required to write to / etc / ld. so. preload ) and the presence of gcc on the system. if either check fails, the command is rejected with a descriptive error message. the ha…”
T1071.001Web Protocols
72%
“to a corresponding routine, enabling the malware to dynamically route incoming c & c instructions to the appropriate functionality. typedef struct { _ _ int16 command _ id ; char _ pad [ 6 ] ; void * handler ; } command _ handler _ entry _ t ; once the malware completes its footh…”
T1587Develop Capabilities
71%
“with low detection, which caught our attention and prompted a deeper investigation. what followed was the discovery of quasar linux ( qlnx ), a previously undocumented linux remote access trojan ( rat ) with rootkit capabilities and a notably minimal detection footprint. threat l…”
T1556.003Pluggable Authentication Modules
70%
“##tomps itself against the real pam _ unix. so to defeat forensic timeline analysis. this module supports three actions : - install : compiles and installs the backdoor, registers it in / etc / ld. so. preload. - uninstall : removes the. so file and strips its entry from / etc / …”
T1195.001Compromise Software Dependencies and Development Tools
68%
“c & c server. on a typical developer workstation, this single command can : compromise entire cloud environments through stolen aws and kubernetes credentials ; gain access to private source code repositories via git and github cli tokens ; hijack package publishing pipelines thr…”
T1574.006Dynamic Linker Hijacking
50%
“file / tmp /. pcs _ xxxxxx, compiles it with gcc, producing / usr / lib /. libpam _ cache. so, then installs it via / etc / ld. so. preload, ensuring it is loaded into every dynamically linked process that starts on the system. on each successful authentication, it extracts the s…”
T1071.001Web Protocols
41%
“the qlnx magic identifier across the three transport modes transport 1 — raw tls ( default ) this is a fully custom binary protocol running directly over tls. there is no http layer involved. the implant connects to the c & c, performs a tls handshake with certificate validation …”
T1574.006Dynamic Linker Hijacking
38%
“fpic ", " - wl, - soname, libsecurity _ utils. so. 1 ", " - o ", " / usr / lib / libsecurity _ utils. so. 1 ", < source >, " - ldl " ) to compile the shared object. - deletes the source file immediately after compilation. - checks whether / etc / ld. so. preload already contains …”
T1556.003Pluggable Authentication Modules
37%
“quasar linux ( qlnx ) – a silent foothold in the supply chain : inside a full - featured linux rat with rootkit, pam backdoor, credential harvesting capabilities cyber threats quasar linux ( qlnx ) – a silent foothold in the supply chain : inside a full - featured linux rat with …”
T1572Protocol Tunneling
34%
“mechanism which iterates over a table of registered handlers and executes the routine associated with the received command. in total, qlnx registers 58 distinct commands, covering a broad range of post - compromise functionality, including file system manipulation, network tunnel…”
T1574.006Dynamic Linker Hijacking
34%
“or name matching the rootkit ' s hidden list, it returns enoent ( file not found ) or skips the entry, effectively making the target invisible to userland tools : table 9. libc functions hooked by the qlnx userland ld _ preload rootkit and their effects. the hidden names and path…”
T1071Application Layer Protocol
31%
“mechanism which iterates over a table of registered handlers and executes the routine associated with the received command. in total, qlnx registers 58 distinct commands, covering a broad range of post - compromise functionality, including file system manipulation, network tunnel…”
T1059Command and Scripting Interpreter
31%
“1. overview of qlnx capabilities quasar linux ( qlnx ) analysis table 2. identifying information on qlnx summary qlnx is a full - featured rat that targets the linux platform. the malware executes filelessly from memory, spoofs its process name, profiles the system to detect cont…”
T1095Non-Application Layer Protocol
30%
“mechanism which iterates over a table of registered handlers and executes the routine associated with the received command. in total, qlnx registers 58 distinct commands, covering a broad range of post - compromise functionality, including file system manipulation, network tunnel…”

Summary

TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a rootkit, a PAM backdoor, credential harvesting, and more, revealing how this malware enables stealthy access, persistence, and potential supply-chain attacks.