Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT).
In November 2022, Trend Micro researchers discovered a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). The Chaos RAT is based on an open-source project.
Like the original project, the malware is able to terminate competing malware, security software, and is used to deploy the Monero (XMR) cryptocurrency miner.
The malware maintains persistence by altering /etc/crontab file and downloads itself every 10 minutes from Pastebin.
“This is followed by downloading additional payloads: an XMRig miner, its configuration file, a shell script looping “competition killer,” and most importantly, the RAT itself.” reads the analysis published by Trend Micro.
The researchers reported that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and the threat continues to spread.
According to the experts, the main server appears to be located in Russia and is used for cloud bulletproof hosting.
The C2 server is used only for providing payloads, while the Chaos RAT connects to another C&C server that is likely located in Hong Kong. Upon running the RAT, it connects to the C2 server via its address, and default port, using a JSON Web Token (JTW) for authorization.
The malware sends detailed information on the infected machine to the C2 server using the command /device. The Go-based RAT supports the following functions:
- Perform reverse shell
- Download files
- Upload files
- Delete files
- Take screenshots
- Access file explorer
- Gather operating system information
- Restart the PC
- Shutdown the PC
- Open a URL
“On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” the researchers conclude. “However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CHAOS malware)
Share On
Read More: news.google.com
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Dogecoin 
Cardano 
TRON 
Lido Staked Ether 
Wrapped Bitcoin 
Sui 
Hyperliquid 
Wrapped stETH 
Chainlink 
Avalanche 
Stellar 
Shiba Inu 
LEO Token 
Bitcoin Cash 
Hedera 
Toncoin 
WETH 
Litecoin 
USDS 
Polkadot 
Wrapped eETH 
Monero 
Bitget Token 
Binance Bridged USDT (BNB Smart Chain) 
Pepe 
Pi Network 
Ethena USDe 
Coinbase Wrapped BTC 
WhiteBIT Coin 
Aave 
Bittensor 
Uniswap 
Dai 
NEAR Protocol 
Aptos 
Jito Staked SOL 
OKB 
Tokenize Xchange 
Ondo 
BlackRock USD Institutional Digital Liquidity Fund 
Cronos 
Internet Computer 
Ethereum Classic