CHAOS Malware

A cryptocurrency mining attack targeting the Linux operating system also involved the use of an open source remote access trojan (RAT) dubbed CHAOS.

The threat, which was spotted by Trend Micro in November 2022, remains virtually unchanged in all other aspects, including when it comes to terminating competing malware, security software, and deploying the Monero (XMR) cryptocurrency miner.

"The malware achieves its persistence by altering /etc/crontab file, a UNIX task scheduler that, in this case, downloads itself every 10 minutes from Pastebin," researchers David Fiser and Alfredo Oliveira said.


This step is succeeded by downloading next-stage payloads that consist of the XMRig miner and the Go-based CHAOS RAT.

The cybersecurity firm said that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and new infections continue to happen.

The CHAOS RAT, once downloaded and launched, transmits detailed system metadata to a remote server, while also coming with capabilities to carry out file operations, take screenshots, shutdown and restart the computer, and open arbitrary URLs.

"On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor," the researchers said.

"However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.