HQ/EMEAFind out how we can help your business
A malicious open-source entity called Chaos RAT is conducting a cybercriminal campaign that infects Linux systems. Based on reports, the open-source remote access trojan exploits the resources of targeted devices to execute a cryptocurrency mining attack on Monero XMR.
Researchers identified the open-source project last month, coded in Go language (Golang). Moreover, most of its features have remained unchanged since it was first discovered. The only improvement the RAT received is that its operators can now deploy it to a cryptomining campaign.
According to investigations, the Chaos RAT malware changes the crontab file of the targeted devices to establish persistence upon infection. Subsequently, it schedules the cron job to download itself from Pastebin every 10 minutes. Hence, the malware could ensure its existence on the targeted device even if the user runs a manual removal.
After establishing persistence, the threat actors could download the next-stage payloads on the device. These payloads include the RAT and XMRig cryptominer. Furthermore, the operators could download its configuration file and a shell script crafted by the attackers to remove any competitor malware operating on the compromised device.
The Chaos RAT operators host their payloads on multiple locations to never skip a beat.
The malicious actors store the main script and all the payloads across numerous locations to ensure they remain operational in any desired region. The central server of the group is in Russia.
Additionally, the group utilises cloud-bulletproof hosting to obfuscate their exact location. Researchers are also having difficulties tracing the actors since the command-and-control server of the group is hosted in Hong Kong.
The confirmed abilities of Chaos RAT include capturing screenshots, accessing file explorer, and harvesting OS-related data. The RAT could also upload, download, and delete files.
However, the most threatening capability of this RAT is that it could shut down and restart an infected device remotely.
Experts claimed that the Chaos RAT operators are hiding their true intentions in deploying their payloads despite showing indications of an ordinary cryptomining entity. Cybersecurity researchers recommend that users and organisations remain cautious and improve their cybersecurity defences to mitigate any risks of infection.
