Quasar Linux (QLNX) Emerges to Subvert the Global Software Supply Chain

The novel Linux implant, Quasar Linux, poses a formidable threat not merely to individual workstations but to the entire software supply chain. This malicious suite targets environments dedicated to the creation, compilation, and dissemination of code; consequently, compromised credentials could precipitously escalate into wide-scale assaults against users of prominent repositories and cloud infrastructures.

Researchers at Trend Micro have scrutinized this previously undocumented implant, designated as Quasar Linux or QLNX. The malware integrates the functionalities of a rootkit, a backdoor, and a credential harvester. According to the firm, QLNX is deployed within development and DevOps ecosystems associated with npm, PyPI, GitHub, AWS, Docker, and Kubernetes.

The primary peril of this methodology resides in the unauthorized access to keys, tokens, and configurations that underpin software assembly and delivery. By subverting a developer’s workstation, adversaries can circumvent corporate security protocols and utilize purloined data to publish infected packages within public repositories.

QLNX is engineered for stealth and protracted persistence. The implant operates within volatile memory, expunging its original binary from the disk, sanitizing logs, obfuscating process nomenclature, and erasing forensic artifacts that might assist in an investigation. Trend Micro highlights that the malware dynamically compiles rootkit components and PAM (Pluggable Authentication Module) backdoors directly on the host utilizing the GNU Compiler Collection.

To ensure persistence, QLNX employs a multifaceted array of seven distinct mechanisms, including LD_PRELOAD, systemd, crontab, init.d, XDG autostart, and .bashrc injection. This suite enables the malware to load into dynamically linked processes and reconstitute itself following termination attempts.

The implant’s capabilities encompass nearly the entire attack lifecycle. QLNX provides the operator with a remote shell, manages files and processes, and maintains encrypted communication with a command-and-control server via TCP/TLS or HTTP/S. Furthermore, it conceals processes, files, and network ports through a custom user-land rootkit and a kernel-level eBPF component.

Specialized modules exfiltrate SSH keys, browser data, cloud configurations, and developer secrets, alongside the contents of /etc/shadow and the system clipboard. It further intercepts credentials via PAM. This follows a comparable incident recently documented within the PyPI ecosystem, where a compromised package sought SSH keys, AWS tokens, and Kubernetes secrets directly within the developer’s environment.

The malicious suite is also capable of keystroke logging, screen capturing, monitoring file activity via inotify, and establishing TCP tunnels or SOCKS proxies. Its support for peer-to-peer (P2P) networking ensures sustained command-and-control even amidst individual node failures.

While Trend Micro has yet to attribute QLNX to a specific threat actor or disclose the extent of its deployment, the scale of its application remains uncertain. At the time of disclosure, the malicious binary was identified by a mere four security solutions. Indicators of compromise have been disseminated to facilitate the detection of infections and mitigate the burgeoning risks to the global software supply chain.