Cryptocurrency Mining Campaign Hits Linux Users with Go-based CHAOS Malware

Cryptocurrency Mining Campaign Hits Linux Users with Go-based CHAOS Malware

A cryptocurrency mining attack targeting the Linux operating system also involved the use of an open source remote access trojan (RAT) dubbed CHAOS.

The potency of the Chaos malware stems from a few factors: first, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC – in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.

The cybersecurity firm said that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and new infections continue to happen.

The rat functions as below:

  • Perform reverse shell
  • Download files
  • Upload files
  • Delete files
  • Take screenshots
  • Access file explorer
  • Gather operating system information
  • Restart the PC
  • Shutdown the PC
  • Open a URL

The CHAOS RAT, once downloaded and launched, transmits detailed system metadata to a remote server, while also coming with capabilities to carry out file operations, take screenshots, shutdown and restart the computer, and open arbitrary URLs.


HA-256									File name		Detection name

051351f4257d7f87bede9b72455aae5a5b9a8269bfb4bcbecb1501f7a3409957	config.json		PUA.Linux.XMRMiner.AB
759c496b114f9212c610892c5236935cced564a78b3b410bd2d27c9ee6257f42	genshin			Trojan.Linux.CHAOSRAT.USELVHA22													
52ab96b1d99964502a7946eef39a5f636d8a240c747d43f8568d62cf0e960ae9	rn02s62s		Trojan.SH.MALXMR.UWELT
7a96d9f7a25a67ec2873bb814cb0ba104d3b7c1651f65ff09d8e1f76cba6fb79			Trojan.SH.MALXMR.UWELT
fd452da0d978514adaeee1dd5227212aad00bf07f2481d335eed77a4ee08a5e8	xg546sAd		Trojan.SH.MALXMR.UWELT
3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab	xmrig_setup.exe		Trojan.JS.MALXMR.CMPAW

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!