The Chaos remote administrative tool (RAT) has been used to improve the efficiency of cryptocurrency mining attacks against Linux systems.
The findings from Trend Micro security researchers were detailed in an advisory published on Sunday.
“We’ve previously written about cryptojacking scenarios involving Linux machines and specific cloud computing instances being targeted by threat actors active in this space, such as TeamTNT,” the security experts wrote.
During their investigative efforts, Trend Micro said they found that the attacker tactics were similar, even if they involved different threat actors.
“The initial phase saw attackers trying to kill off competing malware, security products, and other cloud middleware. This was followed by routines for persistence and payload execution, which in most cases is a Monero (XMR) cryptocurrency miner,” reads the technical write-up.
For more sophisticated threats, Trend Micro said they have also observed capabilities that allowed infection on more devices.
“In November 2022, we intercepted a threat that had a slightly different routine and incorporated an advanced RAT named Chaos […] which is based on an open-source project.”
In the newly observed attacks, the main downloader script and further payloads were hosted in different locations to ensure that the campaign remained active and kept on spreading.
During this malicious campaign, the scripts spotted by Trend Micro showed that the main server, which was also used for downloading payloads, appeared to be located in Russia.
From a technical standpoint, the Chaos RAT is a Go-compiled binary with several functions, including executing reverse shells, downloading and uploading files, and taking screenshots, among others.
“On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” Trend Micro wrote.
“However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”
The Trend Micro advisory comes roughly two months after decentralized finance (DeFi) platform Moola Market confirmed it suffered a security incident leading to a loss of up to $9m worth of cryptocurrency.
