Cryptomining campaign targets Linux systems with Go-based CHAOS Malware

Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT).

In November 2022, Trend Micro researchers discovered a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). The Chaos RAT is based on an open-source project.

Like the original project, the malware is able to terminate competing malware, security software, and is used to deploy the Monero (XMR) cryptocurrency miner.

The malware maintains persistence by altering /etc/crontab file and downloads itself every 10 minutes from Pastebin.

“This is followed by downloading additional payloads: an XMRig miner, its configuration file, a shell script looping “competition killer,” and most importantly, the RAT itself.” reads the analysis published by Trend Micro.

The researchers reported that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and the threat continues to spread.

According to the experts, the main server appears to be located in Russia and is used for cloud bulletproof hosting.

The C2 server is used only for providing payloads, while the Chaos RAT connects to another C&C server that is likely located in Hong Kong. Upon running the RAT, it connects to the C2 server via its address, and default port, using a JSON Web Token (JTW) for authorization.

The malware sends detailed information on the infected machine to the C2 server using the command /device. The Go-based RAT supports the following functions:

• Perform reverse shell
• Download files
• Upload files
• Delete files
• Take screenshots
• Access file explorer
• Gather operating system information
• Restart the PC
• Shutdown the PC
• Open a URL

“On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” the researchers conclude. “However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CHAOS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]