A new cryptomining campaign has been identified in which attackers are infecting Linux systems with an open-source RAT called Chaos. It abuses the resources of the targeted machine to mine Monero (XMR) cryptocurrency.
A new wave of Chaos
Chaos RAT was identified by Trend Micro researchers in November as an open-source project written in the Go language. Most of its functionality remains unchanged since then, and it is now used to deploy cryptomining malware.
- Upon infection, the malware alters the crontab file of the victim machine to ensure persistence. It schedules the cron job to download itself from Pastebin every 10 minutes, thus, ensuring its presence even after manual removal from the device.
- It downloads the next-stage payloads on the device, which includes XMRig miner and Chaos RAT.
- It further downloads its configuration file and a shell script designed to kill any competitor malware running on the infected machine.
Malware hosting
All the payloads and the main script to download these payloads are hosted across multiple locations to ensure that they always remain operational.
- The main server is located in Russia and uses cloud-bulletproof hosting to hide its whereabouts.
- Moreover, the C&C server is hosted in Hong Kong, where it sends detailed information about the infected machine.
Malware capabilities
- The RAT can take screenshots, access the file explorer, and gather OS-related information.
- It is capable of uploading, downloading, and deleting files, as well as shutting down and restarting the machine.
- It can further perform reverse shells and open arbitrary URLs in the browser.
Ending notes
Upon high-level analysis, this campaign provides indications of an ordinary cryptomining activity, however, the wide range of supported functions embedded in Chaos RAT indicates that the operators may be planning to hide their real intentions under the cryptojacking cloak. Experts suggest individuals and organizations stay extra cautious with cybersecurity and keep strengthening their defenses at regular intervals to minimize any risks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_347646005.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d021_shutterstock_661733230.jpeg)
