Linux users have been targeted in a cryptocurrency mining campaign that uses CHAOS, an open-source remote access trojan (RAT).
The campaign was first spotted by cybersecurity experts in November 2022 and, to achieve persistence, the malware modifies the /etc/crontab file, a UNIX job scheduler that, in this case, downloads itself from Pastebin every 10 minutes, followed by downloading additional payloads such as a shell script looping “competition killer”, an XMRig miner, its configuration file, and the RAT itself.
How does the Malware Works?
The CHAOS RAT is a Go-compiled binary that has the ability to:
- Perform reverse shell
- Download files
- Upload files
- Delete files
- Take screenshots
- Access file explorer
- Gather operating system information
- Restart the PC
- Shutdown the PC
- Open a URL
As reported by TheHackerNews, the main downloader script and additional payloads are housed in several places to ensure that the campaign is ongoing and that new infections continue.
The incorporation of a RAT into the infection routine of a cryptocurrency mining malware might not seem like such a major threat, however, due to the tool’s large array of functions, it becomes concerning.
The scariest fact about this evolution of the malware is the rate of adaptability of threat actors, which are still improving the way their campaigns operate months after it was initially released.
It is important for both organizations and individuals to be vigilant and protect themselves from cyberattacks.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.