A cryptocurrency mining attack targeting the Linux operating system also involved the use of an open source remote access trojan (RAT) dubbed CHAOS.
The potency of the Chaos malware stems from a few factors: first, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC – in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.
The cybersecurity firm said that the main downloader script and further payloads are hosted in multiple locations to make sure that the campaign remains active and new infections continue to happen.
The rat functions as below:
- Perform reverse shell
- Download files
- Upload files
- Delete files
- Take screenshots
- Access file explorer
- Gather operating system information
- Restart the PC
- Shutdown the PC
- Open a URL
The CHAOS RAT, once downloaded and launched, transmits detailed system metadata to a remote server, while also coming with capabilities to carry out file operations, take screenshots, shutdown and restart the computer, and open arbitrary URLs.
CHAOS RAT IOCS
HA-256 File name Detection name 051351f4257d7f87bede9b72455aae5a5b9a8269bfb4bcbecb1501f7a3409957 config.json PUA.Linux.XMRMiner.AB 759c496b114f9212c610892c5236935cced564a78b3b410bd2d27c9ee6257f42 genshin Trojan.Linux.CHAOSRAT.USELVHA22 52ab96b1d99964502a7946eef39a5f636d8a240c747d43f8568d62cf0e960ae9 rn02s62s Trojan.SH.MALXMR.UWELT 7a96d9f7a25a67ec2873bb814cb0ba104d3b7c1651f65ff09d8e1f76cba6fb79 solr.sh Trojan.SH.MALXMR.UWELT fd452da0d978514adaeee1dd5227212aad00bf07f2481d335eed77a4ee08a5e8 xg546sAd Trojan.SH.MALXMR.UWELT 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab xmrig_setup.exe Trojan.JS.MALXMR.CMPAW