Quasar Linux (QLNX) Malware: Detection and Response Guide

Quasar Linux (QLNX) Overview

Quasar Linux (QLNX) is especially useful for software developers. It is a new, undocumented Linux malware that targets Linux operating systems and has advanced rootkit, backdoor and credential theft capabilities. It uses complex methods to maintain persistence on the system and hide network traffic.

Detection Methods

QLNX has the ability to hide itself by infiltrating system files. For this reason, standard process lists can be misleading. You can check for suspicious activities on your system by following the steps below.

1. List suspicious network connections in the system.
2. Examine running processes and file system changes.
3. Observe system calls to check for rootkit presence.

# Check suspicious network connections
netstat -tulpn | grep -E 'ESTABLISHED|LISTEN'

# List suspicious processes
ps auxf --sort=-%cpu

# Check file system integrity (e.g. with AIDE)
aide --check

Warning: If QLNX is detected in your system, it is recommended to completely isolate the system and take its image and perform forensic analysis.

Intervention and Removal Steps

It is very difficult to remove the malware from the system because it can protect itself from deletion commands thanks to its rootkit capabilities. The safest method is to reinstall the system.

1. Completely isolate the system from the network.
2. Back up your critical data (but do not back up executables).
3. Reinstall the system from a clean environment.
4. Renew by invalidating all SSH keys and API tokens.

# List SSH keys
ls -la ~/.ssh/

# Delete suspicious keys
rm ~/.ssh/authorized_keys
ssh-keygen -t ed25519 -C "new_key"

The most important line of defense for developers is verifying packages downloaded from third-party sources. Use only official and reliable repository sources.