This threat advisory analyzes the Turbo campaign (observed summer 2015) targeting a large U.S. public research institution, where attackers gained SSH access and used wget to download a rare 64-bit Linux variant of the Derusbi RAT along with a custom 64-bit kernel module called Turbo. The malware is notable for Linux-focused cloaking and anti-forensics, including dropping the kernel module to /dev/shm/.x11.id, loading it, then deleting and null-overwriting it so it remains memory-resident, and suppressing shell history by sending it to /dev/null. Derusbi provides full RAT functions (file operations, remote command execution, remote bash shell, timestomping) and uses beacons that mimic Windows Derusbi C2 patterns, enabling infrastructure reuse alongside PlugX. Turbo hooks the system call ta

Join for free to read