- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Chaos RAT Used to Enhance Linux Cryptomining Attacks
The Chaos remote administrative tool (RAT) has been used to improve the efficiency of cryptocurrency mining attacks against Linux systems.
The findings from Trend Micro security researchers were detailed in an advisory published on Sunday.
“We’ve previously written about cryptojacking scenarios involving Linux machines and specific cloud computing instances being targeted by threat actors active in this space, such as TeamTNT,” the security experts wrote.
During their investigative efforts, Trend Micro said they found that the attacker tactics were similar, even if they involved different threat actors.
“The initial phase saw attackers trying to kill off competing malware, security products, and other cloud middleware. This was followed by routines for persistence and payload execution, which in most cases is a Monero (XMR) cryptocurrency miner,” reads the technical write-up.
For more sophisticated threats, Trend Micro said they have also observed capabilities that allowed infection on more devices.
“In November 2022, we intercepted a threat that had a slightly different routine and incorporated an advanced RAT named Chaos […] which is based on an open-source project.”
In the newly observed attacks, the main downloader script and further payloads were hosted in different locations to ensure that the campaign remained active and kept on spreading.
During this malicious campaign, the scripts spotted by Trend Micro showed that the main server, which was also used for downloading payloads, appeared to be located in Russia.
From a technical standpoint, the Chaos RAT is a Go-compiled binary with several functions, including executing reverse shells, downloading and uploading files, and taking screenshots, among others.
“On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” Trend Micro wrote.
“However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”
The Trend Micro advisory comes roughly two months after decentralized finance (DeFi) platform Moola Market confirmed it suffered a security incident leading to a loss of up to $9m worth of cryptocurrency.