Thai threat actor named after folklore spirit

A new threat actor has been spotted going after telecommunications targets in Thailand. Group-IB, the cybersecurity analyst that detected it, has named it Krasue, after a malicious spirit in Thai folklore.

“Owing to the fact that Thai companies were exclusively targeted, Group-IB has decided to call this RAT [remote access trojan] Krasue, a nod to the Thai name of a nocturnal native spirit known throughout Southeast Asian folklore,” said the security firm.

“Krasue, who is said to hover in the air above the ground and is driven by extreme hunger, poses a severe risk to critical systems and sensitive data given that it is able to grant attackers remote access to the targeted network,” it added.

Krasue hovered in the original folk tales, and its digital variant has been flying under the radar for quite some time – Group-IB reckons it has been active since at least 2021 and is focusing predominantly on targets in the Southeast Asian nation that use Linux operating systems.

Most, though not all, of these Thai targets are believed to be telecoms companies, it added.

Krasue’s favored means of attack include entering a target system through vulnerability exploitation, credential brute force attacks, and occasionally being unwittingly downloaded as a result of a social engineering ploy – for instance, a fake update notification – by “an untrustworthy third-party source.”

Group-IB says it is disclosing its findings to help potential targets in Thailand protect themselves and help the global cybersecurity community “better understand the evolving

functionalities of Linux RATs and hunt for them.”

In particular, Group-IB believes that Linux servers are vulnerable to cyberattacks because they often have poor end-point security – in layman’s terms, something akin to having poorly locked entrances to your home.

Cybersecurity professionals can access a detailed breakdown of Group-IB’s analysis of Krasue’s methodology and rootkit used in its attacks here.