Must Read

LockBit leaks data stolen from the South Korean National Tax Service
Italy's Data Protection Authority temporarily blocks ChatGPT over privacy concerns
CISA adds bugs exploited by commercial surveillance spyware to Known Exploited Vulnerabilities catalog
Hackers are actively exploiting a flaw in the Elementor Pro WordPress plugin
Cyber Police of Ukraine arrested members of a gang that defrauded EU citizens of $4.33M
Russian APT group Winter Vivern targets email portals of NATO and diplomats

Cryptomining campaign targets Linux systems with Go-based CHAOS Malware

December 12, 2022 By Pierluigi Paganini

Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT).

In November 2022, Trend Micro researchers discovered a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). The Chaos RAT is based on an open-source project.

Like the original project, the malware is able to terminate competing malware, security software, and is used to deploy the Monero (XMR) cryptocurrency miner.

The malware maintains persistence by altering /etc/crontab file and downloads itself every 10 minutes from Pastebin.

“This is followed by downloading additional payloads: an XMRig miner, its configuration file, a shell script looping “competition killer,” and most importantly, the RAT itself.” reads the analysis published by Trend Micro.

The researchers reported that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and the threat continues to spread.

According to the experts, the main server appears to be located in Russia and is used for cloud bulletproof hosting.

The C2 server is used only for providing payloads, while the Chaos RAT connects to another C&C server that is likely located in Hong Kong. Upon running the RAT, it connects to the C2 server via its address, and default port, using a JSON Web Token (JTW) for authorization.

The malware sends detailed information on the infected machine to the C2 server using the command /device. The Go-based RAT supports the following functions:

Perform reverse shell
Download files
Upload files
Delete files
Take screenshots
Access file explorer
Gather operating system information
Restart the PC
Shutdown the PC
Open a URL

“On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” the researchers conclude. “However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CHAOS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Evilnum group targets legal entities with a new Janicab variant

Indian foreign ministry's Global Pravasi Rishta portal leaks expat passport details

LockBit leaks data stolen from the South Korean National Tax Service

Must Read

Cryptomining campaign targets Linux systems with Go-based CHAOS Malware

Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT).

Share On

Pierluigi Paganini

Previous Article

Next Article

You might also like

LockBit leaks data stolen from the South Korean National Tax Service

Italy’s Data Protection Authority temporarily blocks ChatGPT over privacy concerns

Digging the Deep Web: Exploring the dark side of the web

Center for Cyber Security and International Relations Studies

Subscribe Security Affairs Newsletter

SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

Evilnum group targets legal entities with a new Janicab variant

Must Read

Cryptomining campaign targets Linux systems with Go-based CHAOS Malware

Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT).

Share this:

Share On

Pierluigi Paganini

Previous Article

Next Article

You might also like

LockBit leaks data stolen from the South Korean National Tax Service

Italy’s Data Protection Authority temporarily blocks ChatGPT over privacy concerns

Digging the Deep Web: Exploring the dark side of the web

Center for Cyber Security and International Relations Studies

Subscribe Security Affairs Newsletter

SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

Evilnum group targets legal entities with a new Janicab variant