Full Report
Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. [...]
Analysis Summary
# Tool/Technique: Chaos RAT
## Overview
Chaos RAT is an open-source Remote Access Trojan (RAT) primarily used for compromising Windows and Linux operating systems, granting threat actors full access to infected devices. It operates by connecting back to a Command and Control (C2) server, awaiting instructions. While often associated with cryptocurrency mining, it is multipurpose and can be used for credential harvesting, data exfiltration, and cyber espionage.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows and Linux
- Capabilities: Uploading/downloading files, executing arbitrary commands, opening a reverse shell.
- First Seen: Context does not specify. (Note: The malware was distributed via compromised Arch Linux AUR packages around July 18th.)
## MITRE ATT&CK Mapping
*Note: Specific tactics are inferred based on general RAT capabilities.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Executing commands)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Establishes persistent communication with a C2 server.
- Executes remote commands received from the C2 server.
- Allows for file system manipulation (upload/download of files).
- Provides a reverse shell connection for interactive control.
### Advanced Features
- Utilized in campaigns involving cryptocurrency mining.
- Capable of credential harvesting and data theft.
## Indicators of Compromise
- File Hashes: N/A in context.
- File Names: Suspicious executable named "systemd-initd" located in the `/tmp` folder (on Linux systems).
- Registry Keys: N/A in context (focus is on Linux distribution method).
- Network Indicators:
- C2 Server: `130[.]162[.]225[.]47`:8080 (Defanged)
- Behavioral Indicators: Repeated connections back to a known C2 address, the presence of the suspicious `/tmp/systemd-initd` executable.
## Associated Threat Actors
The specific threat actors utilizing the malware in this publicized campaign are not explicitly named in the context, only that threat actors are using it generally for various malicious purposes.
## Detection Methods
- Signature-based detection: Identifying known file hashes or signatures associated with Chaos RAT binaries.
- Behavioral detection: Monitoring for unusual processes running from temporary directories (`/tmp`) with names mimicking system services (e.g., `systemd-initd`). Monitoring outbound connections on non-standard ports (like 8080) to suspicious external IPs.
- YARA rules: Not specified in context.
## Mitigation Strategies
- Remove immediately: Users who installed the compromised AUR packages must delete the suspicious `/tmp/systemd-initd` executable.
- Verification: Users should check their systems for signs of compromise due to the severity of the RAT.
- Secure Package Sources: Be cautious when installing packages from community repositories like the AUR, ensuring they are vetted and not malicious.
## Related Tools/Techniques
- Other RATs used for similar purposes (e.g., DarkHTTP, Godlua).