Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cryptomining campaign targets Linux systems with Go-based CHAOS Malware

Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). In November 2022, Trend Micro researchers discovered a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). The Chaos RAT is based on an open-source project. Like the original project, the malware is able to terminate competing malware, security […]

Chaos RAT

Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT).

In November 2022, Trend Micro researchers discovered a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). The Chaos RAT is based on an open-source project.

Like the original project, the malware is able to terminate competing malware, security software, and is used to deploy the Monero (XMR) cryptocurrency miner.

The malware maintains persistence by altering /etc/crontab file and downloads itself every 10 minutes from Pastebin.

“This is followed by downloading additional payloads: an XMRig miner, its configuration file, a shell script looping “competition killer,” and most importantly, the RAT itself.” reads the analysis published by Trend Micro.

The researchers reported that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and the threat continues to spread.

According to the experts, the main server appears to be located in Russia and is used for cloud bulletproof hosting.

The C2 server is used only for providing payloads, while the Chaos RAT connects to another C&C server that is likely located in Hong Kong. Upon running the RAT, it connects to the C2 server via its address, and default port, using a JSON Web Token (JTW) for authorization.

The malware sends detailed information on the infected machine to the C2 server using the command /device. The Go-based RAT supports the following functions:

  • Perform reverse shell
  • Download files
  • Upload files
  • Delete files
  • Take screenshots
  • Access file explorer
  • Gather operating system information
  • Restart the PC
  • Shutdown the PC
  • Open a URL

Chaos RAT

“On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” the researchers conclude. “However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CHAOS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]