Quasar Linux RAT (QLNX): Silent Foothold in Dev Environments

Just caught the report on The Hacker News about a new Linux variant of the Quasar RAT, dubbed QLNX. It looks like the actors are finally porting this classic Windows infrastructure to target the software supply chain directly. The report indicates it's specifically harvesting DevOps credentials and setting up persistence for broader post-exploitation activities like keylogging and network tunneling.

Since it targets developers, I'm assuming it's looking for standard SSH configs and maybe cloud credentials files. We should probably be checking for unusual persistence mechanisms in user directories. I've whipped up a quick YARA rule to help spot the binary signature based on the initial analysis:

yara rule Quasar_Linux_RAT_QLNX { meta: description = "Detects Quasar Linux RAT based on observed strings" author = "Security_Arsenal_User" strings: $s1 = "/bin/bash" nocase $s2 = "QLNX" nocase $s3 = "libQt5Core" nocase // Often used in Linux cross-platform RATs $config = { 6A 00 6A 00 6A 00 } // Common obfuscation prologue condition: uint16(0) == 0x457f and 2 of ($s*) }

Also, given the capability for file manipulation and clipboard monitoring, we might want to audit for processes accessing ~/.ssh or ~/.aws/credentials that aren't standard tools like ssh-agent or aws cli.

# Auditd rule to watch for access to sensitive credential files
-w /home/dev/.ssh/config -p wa -k ssh_access
-w /home/dev/.aws/credentials -p r -k aws_creds_read

Has anyone seen this in the wild yet? How are you guys handling Linux EDR coverage for your developer workstations versus production servers?