Chaos RAT is an open-source remote administration tool written in Golang that targets Windows and Linux systems, offering extensive capabilities such as file management, remote shell, and command execution. Recent analysis uncovered new variants, a critical vulnerability in its web panel enabling remote code execution, and its use in real-world attacks disguised as a Linux network troubleshooting utility. #ChaosRAT #CVE-2024-30850 #CVE-2024-31839
Keypoints
- Chaos RAT is a Golang-based cross-platform RAT supporting Windows and Linux, actively developed and updated through October 2024.
- The malware is typically delivered via phishing lures, including a disguised Linux network troubleshooting tool, and achieves persistence through cron jobs on Linux.
- The admin panel offers attackers functionalities to generate payloads, manage clients, execute commands, and browse files remotely with a web-based interface.
- Recent Chaos RAT variants encode configuration data in Base64 with randomized fields and use JWT tokens for command-and-control authentication.
- Its capabilities include system profiling, screenshot capture, file upload/download, command execution, and system reboot/shutdown across OS platforms.
- A critical vulnerability (CVE-2024-30850) in the build client function allows remote code execution on the RAT server, further exploited by XSS vulnerabilities (CVE-2024-31839) in the admin panel.
- Chaos RAT’s open-source nature enables rapid adaptation by threat actors, facilitating espionage, data exfiltration, and post-compromise operations, while complicating threat attribution.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Chaos RAT executes system commands on compromised Windows and Linux systems, relaying output back to the server. (“…it passes the command to the terminal. The output of command execution will be sent back to the server.”)
- [T1071] Application Layer Protocol – The RAT communicates with its C2 server using HTTP requests with specific API endpoints such as /client, /health, and /device. (“…client appends one of the following strings to the IP address and port before sending request…”)
- [T1105] Ingress Tool Transfer – File upload and download commands enable transferring files between client and server. (“…reads file content and creates a POST request…”; “…it will download the file via a GET request.”)
- [T1562] Impair Defenses – The RAT can hide its console output on Windows using ‘Run Hidden’ and suppress output on Linux by redirecting to /dev/null. (“Windows variant has the ‘Run Hidden’ option… Linux doesn’t but output can be redirected to ‘/dev/null’.”)
- [T1539] Steal Web Session Cookie – An XSS vulnerability in the admin panel allows attackers to execute JavaScript in the admin browser context. (“…exploiting an XSS vulnerability in the admin panel… execute JavaScript in the admin’s browser session context.”)
- [T1190] Exploit Public-Facing Application – Vulnerability in the build client function enables command injection and remote code execution on the RAT server. (“…the use of exec.Command(“sh”, “-c”, buildCmd) meant that malicious inputs could inject arbitrary commands.”)
Indicators of Compromise
- [File Hash] Chaos RAT sample hashes – SHA256: 1e074d9dca6ef0edd24afb2d13cafc5486cd4170c989ef60efd0bbb0… and a51416ea472658b5530a92163e64cfa51f983dfabe3da38e0646e92fb14de191.
- [IP Address] Command-and-control servers – 176.65.141.63, 91.208.197.40.
- [File Name] Malicious payload archive – NetworkAnalyzer.tar.gz (used as a lure for Linux users).
- [YARA Rule] ELFChaosRAT – Detects Linux ELF binaries with specific CHAOS-RAT-generated payload indicators including strings “tiagorlampert/CHAOS”, “BurntSushi/xgb”, and “kbinani/screenshot”.