Cryptomining campaign targets Linux systems with Go-based CHAOS Malware

Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT).

In November 2022, Trend Micro researchers discovered a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). The Chaos RAT is based on an open-source project.

Like the original project, the malware is able to terminate competing malware, security software, and is used to deploy the Monero (XMR) cryptocurrency miner.

The malware maintains persistence by altering /etc/crontab file and downloads itself every 10 minutes from Pastebin.

“This is followed by downloading additional payloads: an XMRig miner, its configuration file, a shell script looping “competition killer,” and most importantly, the RAT itself.” reads the analysis published by Trend Micro.

The researchers reported that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and the threat continues to spread.

According to the experts, the main server appears to be located in Russia and is used for cloud bulletproof hosting.

The C2 server is used only for providing payloads, while the Chaos RAT connects to another C&C server that is likely located in Hong Kong. Upon running the RAT, it connects to the C2 server via its address, and default port, using a JSON Web Token (JTW) for authorization.

The malware sends detailed information on the infected machine to the C2 server using the command /device. The Go-based RAT supports the following functions:

Perform reverse shell
Download files
Upload files
Delete files
Take screenshots
Access file explorer
Gather operating system information
Restart the PC
Shutdown the PC
Open a URL

“On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” the researchers conclude. “However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CHAOS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.