Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Quasar Linux (QLNX) is an advanced Linux remote access trojan that combines a user-space and eBPF rootkit with a PAM backdoor and broad credential-harvesting capabilities. The malware supports fileless execution, process name masquerading, and several persistence techniques that help it remain hidden on infected systems. Its focus on developer workstations makes it especially dangerous for supply-chain abuse, as it can steal tokens, SSH keys, and cloud credentials. The malware also uses encrypted communications and supports a peer-to-peer mesh architecture to improve resilience and maintain access.
Investigation
Trend Micro researchers obtained the QLNX binary and conducted both static and dynamic analysis, uncovering embedded source code for the rootkit and PAM backdoor components. Their investigation documented the malware’s ability to compile components directly on the target host, the range of persistence mechanisms it uses, and the full command set supported by the implant. Network analysis also revealed a custom TLS-based protocol and a distinctive magic identifier used in communications. From this work, researchers extracted indicators of compromise to support hunting and detection.
Mitigation
Defenders should look for QLNX by monitoring for its unique mutex lock file, suspicious LD_PRELOAD entries, and unusual gcc compilation commands that generate malicious shared objects. Organizations should also block execution of unknown binaries named quasar-implant and restrict write access to /etc/ld.so.preload. Multi-factor authentication should be enforced for developer accounts, and security teams should monitor closely for attempts to exfiltrate credential stores and sensitive token files.
Response
If QLNX indicators are found, isolate the affected system immediately, collect memory and disk images, and terminate the malicious process. Remove unauthorized entries from /etc/ld.so.preload, delete the compiled malicious .so files, and clear the lock file used by the implant. All potentially exposed credentials, especially cloud and package registry tokens, should be rotated without delay. Investigators should also assess whether any supply-chain systems, repositories, or build environments were contaminated during the intrusion.
"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef malware fill:#ff9999 classDef tool fill:#cccccc classDef process fill:#ccffcc classDef persistence fill:#ffdd99 %% Malware node malware_qlnx["<b>Malware</b> – <b>Name</b>: QLNX<br/><b>Description</b>: Fileless Linux implant that uses rootkit techniques"] class malware_qlnx malware %% Execution phase action_execution["<b>Action</b> – <b>Execution</b>: Launches fileu2011less implant via memfd_create and execveat, spoofs argv0 and process name"] class action_execution action technique_process_spoof["<b>Technique</b> – T1564.010:<br/>Hide Artifacts u2013 Process Argument Spoofing"] class technique_process_spoof technique technique_unix_shell["<b>Technique</b> – T1059.004:<br/>Command and Scripting Interpreter u2013 Unix Shell"] class technique_unix_shell technique %% Privilege escalation phase action_priv_esc["<b>Action</b> – <b>Privilege Escalation</b>: Attempts sudo or pkexec to gain higher rights"] class action_priv_esc action technique_priv_esc["<b>Technique</b> – T1548.004:<br/>Abuse Elevation Control Mechanism u2013 Elevated Execution with Prompt"] class technique_priv_esc technique %% Persistence phase action_persistence["<b>Action</b> – <b>Persistence</b>: Installs systemd services, cron @reboot, init.d scripts, XDG autostart and LD_PRELOAD hook"] class action_persistence action technique_rc_scripts["<b>Technique</b> – T1037.004:<br/>Boot or Logon Initialization Scripts u2013 RC Scripts"] class technique_rc_scripts technique technique_autostart["<b>Technique</b> – T1547:<br/>Boot or Logon Autostart Execution"] class technique_autostart technique technique_hijack["<b>Technique</b> – T1574:<br/>Hijack Execution Flow via LD_PRELOAD"] class technique_hijack technique class action_persistence persistence %% Defense evasion phase action_defense_evasion["<b>Action</b> – <b>Defense Evasion</b>: Deploys LD_PRELOAD rootkit, eBPF controller, process injection and clears logs"] class action_defense_evasion action technique_rootkit["<b>Technique</b> – T1014:<br/>Rootkit u2013 hides files, processes, ports"] class technique_rootkit technique technique_thread_hijack["<b>Technique</b> – T1055.003:<br/>Process Injection u2013 Thread Execution Hijacking"] class technique_thread_hijack technique technique_process_hollow["<b>Technique</b> – T1055.012:<br/>Process Injection u2013 Process Hollowing"] class technique_process_hollow technique %% Credential harvesting phase action_credential_harvest["<b>Action</b> – <b>Credential Harvesting</b>: Collects credentials from files, SSH keys, /etc/shadow, browsers and PAM"] class action_credential_harvest action technique_creds_files["<b>Technique</b> – T1552.001:<br/>Unsecured Credentials u2013 Credentials In Files"] class technique_creds_files technique technique_private_keys["<b>Technique</b> – T1552.004:<br/>Unsecured Credentials u2013 Private Keys"] class technique_private_keys technique technique_shadow_dump["<b>Technique</b> – T1003.008:<br/>OS Credential Dumping u2013 /etc/passwd and /etc/shadow"] class technique_shadow_dump technique technique_cookies["<b>Technique</b> – T1550.004:<br/>Use Alternate Authentication Material u2013 Web Session Cookie"] class technique_cookies technique technique_pam["<b>Technique</b> – T1555:<br/>Credentials from Password Stores u2013 PAM module"] class technique_pam technique %% Collection phase action_collection["<b>Action</b> – <b>Collection</b>: Captures clipboard data and screen images"] class action_collection action technique_clipboard["<b>Technique</b> – T1115:<br/>Clipboard Data"] class technique_clipboard technique technique_screenshot["<b>Technique</b> – T1113:<br/>Screen Capture"] class technique_screenshot technique %% Command and Control phase action_c2["<b>Action</b> – <b>Command and Control</b>: Exfiltrates data over encrypted TLS/HTTPS"] class action_c2 action technique_exfil["<b>Technique</b> – T1041:<br/>Exfiltration Over C2 Channel"] class technique_exfil technique %% Lateral Movement phase action_lateral["<b>Action</b> – <b>Lateral Movement</b>: Uses harvested SSH keys to access remote hosts"] class action_lateral action technique_remote_exploit["<b>Technique</b> – T1210:<br/>Exploitation of Remote Services"] class technique_remote_exploit technique %% Connections malware_qlnx –>|performs| action_execution action_execution –>|uses| technique_process_spoof action_execution –>|uses| technique_unix_shell action_execution –>|leads to| action_priv_esc action_priv_esc –>|uses| technique_priv_esc action_priv_esc –>|leads to| action_persistence action_persistence –>|uses| technique_rc_scripts action_persistence –>|uses| technique_autostart action_persistence –>|uses| technique_hijack action_persistence –>|leads to| action_defense_evasion action_defense_evasion –>|uses| technique_rootkit action_defense_evasion –>|uses| technique_thread_hijack action_defense_evasion –>|uses| technique_process_hollow action_defense_evasion –>|leads to| action_credential_harvest action_credential_harvest –>|uses| technique_creds_files action_credential_harvest –>|uses| technique_private_keys action_credential_harvest –>|uses| technique_shadow_dump action_credential_harvest –>|uses| technique_cookies action_credential_harvest –>|uses| technique_pam action_credential_harvest –>|leads to| action_collection action_collection –>|uses| technique_clipboard action_collection –>|uses| technique_screenshot action_collection –>|leads to| action_c2 action_c2 –>|uses| technique_exfil action_c2 –>|enables| action_lateral action_lateral –>|uses| technique_remote_exploit "
Attack Flow
Detections
Possible IP Lookup Domain Communications Attempted (via dns)
View
Suspicious Autostart .desktop Dropped in User Profile (via file_event)
View
Hidden File Was Created On Linux Host (via file_event)
View
IOCs (HashSha256) to detect: Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting and More
View
IOCs (HashSha1) to detect: Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting and More
View
IOCs (HashMd5) to detect: Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting and More
View
Detection of Fileless Execution and Code Injection by QLNX [Linux Process Creation]
View
## Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Stage 1 – Payload Generation: The attacker writes a minimal C payload that calls
memfd_createto create an anonymous in‑memory executable file, writes a simple shellcode (e.g.,execve("/bin/sh", …)), marks it executable, and then launches it viaexecveat. - Stage 2 – Compile On‑The‑Fly: Using
gcc(the visible indicator in the rule) the attacker compiles the source without touching disk (output directed to/dev/fd/3). - Stage 3 – Execution & Injection: The compiled binary runs, invokes
memfd_create, loads the shellcode, and finally callsexecveatto execute the memory‑resident ELF. Optionalptracemay be used to inject code into a sibling process, which would also satisfy the rule.
- Stage 1 – Payload Generation: The attacker writes a minimal C payload that calls
-
Regression Test Script:
#!/usr/bin/env bash # # QLNX‑like fileless execution simulation # Generates in‑memory ELF via memfd_create and runs it with execveat. # Requires: gcc, libcap2-bin (for execveat demo), and auditd rules from pre‑flight. set -euo pipefail # 1️⃣ Create C source that performs the memfd + execveat dance cat > /tmp/payload.c <<'EOF' #define _GNU_SOURCE #include <sys/mman.h> #include <sys/syscall.h> #include <unistd.h> #include <fcntl.h> #include <string.h> int main(void) { // Create an anonymous file descriptor (memfd) int fd = syscall(SYS_memfd_create, "memfd_payload", MFD_CLOEXEC); if (fd == -1) _exit(1); // Simple ELF binary that just execve /bin/sh const unsigned char elf[] = { 0x7f,0x45,0x4c,0x46,0x02,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, // ... (truncated for brevity – a minimal statically linked /bin/sh ELF) }; write(fd, elf, sizeof(elf)); // Make it executable fchmod(fd, 0755); // Use execveat to run the in‑memory binary syscall(SYS_execveat, fd, "", NULL, NULL, AT_EMPTY_PATH); _exit(0); } EOF # 2️⃣ Compile with gcc (this will be captured by the detection rule) gcc -static -o /tmp/payload /tmp/payload.c # 3️⃣ Execute the malicious binary – this triggers execveat /tmp/payload # 4️⃣ Cleanup rm -f /tmp/payload /tmp/payload.c -
Cleanup Commands:
# Remove residual files and unload potential audit rules (if test environment is disposable) rm -f /tmp/payload /tmp/payload.c sudo auditctl -d -a always,exit -F arch=b64 -S execveat -k qlnx_execveat sudo auditctl -d -a always,exit -F arch=b64 -S memfd_create -k qlnx_memfd sudo auditctl -d -a always,exit -F arch=b64 -S ptrace -k qlnx_ptrace