A cryptomining malware campaign that targets systems and cloud-computing instances running on Linux has added trojan malware to its capabilities – something that could make attacks more dangerous.
Detailed by cybersecurity researchers at Trend Micro, such as several other cryptomining campaigns, this one is secretly compromising Linux systems, using their computing power to mine for Monero.
Cryptomining attacks are often distributed by exploiting common cybersecurity vulnerabilities or are hidden inside cracked software downloads, among other methods.
Compromising one system with cryptomining malware is unlikely to generate much profit, but attackers infect a large network of infected systems and servers to generate as much cryptocurrency as possible – with the associated energy bill being unintentionally picked up by the victim.
Also: A winning strategy for cybersecurity (ZDNET special report)
The attacks often go undetected because, unless the machine is pushed too far, it's unlikely the compromised user will notice the drop in the performance of their system.
Large networks of compromised systems mining for cryptocurrency can, therefore, produce a steady stream of income for cyber criminals – which is why this technique has become such a popular form of malware.
What makes this new cryptojacking campaign – which was uncovered in November – stand out from others is that it has incorporated a remote access trojan (RAT) into its attacks. The trojan, called Chaos RAT, is free and open source – and allows attackers to control remote operating systems.
The RAT is downloaded alongside the XMRig miner, which is used to mine for cryptocurrency, along with a shell script that is used to remove any other competing miners that might have previously been installed on the system.
Chaos RAT has several powerful functions, including the ability to download, upload and delete files, take screenshots, access file explorer and open URLs.
Also: Follow this one simple rule for better phone security
The trojan also appears to be used to connect to a command and control server that could be used for supplying additional malicious payloads. There's the potential that the attackers could use the power of the trojan malware to conduct more damaging cyberattacks – for example, using Chaos to steal usernames and passwords or online bank details.
"On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor," Trend Micro researchers David Fiser and Alfredo Oliveira wrote in the blog post.
"However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security," they added.
To protect networks and cloud services from cryptomining malware and other cyberattacks, it's recommended that organizations implement common best practices in cybersecurity, including timely patching and updating of software and applications, to lessen the chance of vulnerability exploitation in outdated versions.
Organizations could also consider deploying tools that can limit and filter network traffic to and from malicious hosts, such as firewalls, and intrusion detection and prevention systems.