The new cryptojacking campaign, discovered in November, incorporates a Remote Access Trojan (RAT) into its attacks. The Trojan, dubbed Chaos RAT, is free and open source and allows attackers to take control of remote operating systems.
Like several other crypto-mining campaigns, this one stealthily compromises Linux systems and uses their computing power to mine the Monero cryptocurrency, according to Trend Micro cybersecurity researchers. Cryptomining attacks often spread by exploiting common security vulnerabilities or are hidden in pirated software downloads.
If a single system is compromised by cryptomining malware, much profit is unlikely to be made, but attackers infect a large network of infected systems and servers in order to generate as much cryptocurrency as possible – with the associated utility bills paid involuntarily by the victim is supported.
Attacks often go unnoticed because the compromised user is unlikely to notice the performance degradation of their system, unless the machine is under excessive strain.
The main download script and other payloads are hosted in different places to ensure that the campaign stays active and continues to spread. The scripts show that the main server, which is also used to download the payloads, appears to be located in Russia. Whois historical data shows that it is also used for Cloud Bulletproof hosting (a modus operandi previously used by hacker teams – using open-source tools – to launch their attacks on cloud infrastructure, containers and concentrated Linux environments).
Large networks of compromised systems mining cryptocurrencies can therefore provide cybercriminals with a constant stream of income – one of the reasons why this technique has become such a popular form of malware. The RAT is downloaded along with the XMRig miner used to mine cryptocurrencies and a shell script designed to remove all other competing miners previously installed on the system.
Chaos RAT has several powerful features, including the ability to upload, download, and delete files, take screenshots, access File Explorer, and open URLs.
The Trojan also appears to be used to connect to a command and control server which could be used to deliver other malicious payloads. Attackers may use the power of Trojans to perform more harmful cyberattacks – for example, using Chaos to steal usernames and passwords or online banking information.
“On the surface, including a RAT in the infection routine of cryptocurrency mining malware may seem relatively insignificant,” write Trend Micro researchers David Fiser and Alfredo Oliveira in their blog post. .
“Given the tool’s rich functionality and the fact that this development shows that cloud-based threat actors are still evolving their campaigns, it is important that organizations and individuals remain extremely vigilant when it comes to security,” they add.
To protect networks and cloud services from cryptomining malware and other cyberattacks, organizations are recommended to adopt common cybersecurity best practices, including timely patching and updating of software and applications to reduce the risk of exploiting vulnerabilities in outdated versions.
Organizations may also consider using tools capable of restricting and filtering network traffic to and from malicious hosts, such as B. Firewalls and intrusion detection and prevention systems.