Cryptomining Chaos RAT Targeting Linux Systems 
Reading Time: 2 minutes

Cybersecurity researchers at Trend Micro earlier last month discovered crypto mining Chaos RAT targeting Linux systems with several advanced functions that bad guys can use to control remote operating systems.

Just like its earlier versions of the Chaos RAT target Linux operating systems, the code kills competing for malware and resources that affect cryptocurrency mining performance.

According to Trend Micro researchers David Fiser and Alfredo Oliveira, the new malware establishes persistence “by altering /etc/crontab file, a UNIX task scheduler that, in this case, downloads itself every 10 minutes from Pastebin.”

Later, it downloaded the anXMRig miner and configuration file, which then downloaded a payload that kept killing any competing malware. Finally, it installed the Chaos RAT remote access tool (which is written in Go and can restart or shut down your machine) to keep control of your system.

The open-source tool can do a reverse shell, take screenshots of the victim’s device, and collect various information about the operating system. It can also download, upload, or even delete files.

“An interesting trait of the malware family we intercepted is that the address and access token are passed as compilation flags and hardcoded inside the RAT client, replacing any data inside variables from the main code,” researchers wrote.

Additionally, the team noted that the Chaos RAT will communicate with an unknown server in Hong Kong.

In this case, it’s worth noting that the Russian server has been used for providing cloud bulletproof hosting for other shady characters. These services are typically abused by criminals to launch cyberattacks and hide their other illicit activities.

The Trend Micro researchers added the same hosting service has been used by other cybercriminals for carrying out attacks on cloud infrastructure, containers, and Linux servers.

Fiser and Oliveira said, “On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” 

Further, they added, “However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”

Related Articles:
Cryptonite Open Source Ransomware Toolkit Turns Into Accidental Wiper Malware
New CryWiper Data Wiper Malware Posing as Ransomware Targets Russian Courts
AppleJeus Malware Disguised as Cryptocurrency Apps Distributed by North Korean Hackers