Threat Research

ChaosRAT Targets Windows and Linux

Securonix
ChaosRAT Targets Windows and Linux

New variants of Chaos RAT have been identified targeting both Windows and Linux systems through phishing campaigns using malicious PDFs. The malware employs advanced obfuscation techniques to steal data, deploy cryptominers, and maintain persistent control over infected devices. #ChaosRAT #RemoteAdministrationTool

Keypoints

  • Chaos RAT evolved from an open-source tool to a sophisticated malware targeting Windows and Linux platforms.
  • It spreads primarily via phishing emails containing malicious PDF attachments that trigger multi-stage infections.
  • The infection chain on Windows starts with a JavaScript file downloading a BAT script; on Linux, it masquerades as legitimate tools like “NetworkCheck.”
  • The malware uses advanced obfuscation, encoded strings, dynamic API resolution, and environment checks to evade analysis and detection.
  • Capabilities include cryptocurrency mining, keylogging, screen capture, data exfiltration, and remote command execution.
  • Persistence is established through scheduled tasks, registry modifications on Windows, and obfuscated shell scripts on Linux.
  • No specific targeted verticals or regions were identified, indicating a broad potential attack surface.

MITRE Techniques

  • [T1204] User Execution – The malware spreads via phishing emails with malicious PDFs that prompt victims to click embedded links initiating infections (“phishing emails containing malicious PDF attachments…victims to click embedded links”).
  • [T1059] Command and Scripting Interpreter – Uses JavaScript files and BAT scripts on Windows and shell scripts on Linux to download and execute payloads (“infection begins with a JavaScript file…shell scripts to retrieve and execute the RAT”).
  • [T1543] Create or Modify System Process – Establishes persistence through scheduled tasks and registry modifications (“establishing persistence through scheduled tasks and registry modifications”).
  • [T1027] Obfuscated Files or Information – Employs complex obfuscation, encoded strings, and dynamic API resolution to evade detection (“uses complex obfuscation, including encoded strings and dynamic API resolution”).
  • [T1499] Resource Hijacking – Deploys cryptocurrency mining modules to leverage system resources illicitly (“deploys cryptocurrency mining modules, leveraging system resources”).
  • [T1083] File and Directory Discovery – Performs data theft and file exfiltration (“file exfiltration”).
  • [T1113] Screen Capture – Captures screenshots on infected systems (“screen capture”).
  • [T1056] Input Capture – Employs keylogging capabilities (“keylogging”).

Indicators of Compromise

  • [File Hashes] Multiple Chaos RAT samples identified – examples include 1e074d9dca6ef0edd24afb2d13ca4429def5fc5486cd4170c989ef60efd0bbb0, 77962a384d251f0aa8e3008a88f206d6cb1f7401c759c4614e3bfe865e3e985c, and 9 more hashes.
  • [File Names] Malicious infection chain files – JavaScript files, BAT scripts on Windows, and shell scripts named to mimic legitimate tools like “NetworkCheck” on Linux.

Read more: https://blog.polyswarm.io/new-chaos-rat-variants-observed

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint