The open-source Chaos Remote Administration Tool (RAT) continues to be used in cyberattacks with new variants discovered by the Acronis Threat Research Unit (TRU), the cybersecurity company reported Wednesday.
Chaos RAT, available on GitHub, enables users to control remote Windows and Linux systems via a reverse shell and perform tasks, including file management and command execution.
“While not inherently malicious, it is almost exclusively used in malicious campaigns due to its lack of access controls and ease of deployment,” Acronis TRU Lead Security Researcher Santiago Pontiroli told SC Media.
A recent Chaos RAT sample uploaded to VirusTotal this year indicates targeting of Linux machines due to the use of the file name “NetworkAnalyzer.tar.gz” appearing to spoof a legitimate Linux utility, according to Acronis.
Attackers leverage ease and flexibility of free open-source RATs
Chaos RAT’s publicly available, open-source nature provides options for attackers to either customize the tool for their own use or use an inconspicuous “out-of-the-box” version to blend in among others using the RAT.
“Many actors deploy Chaos RAT directly from the public GitHub repository with little to no modification, leveraging the default admin panel and command set. This is especially true in opportunistic attacks or proof-of-concept deployments,” Pontiroli said.
When changes are made, attackers may use additional packers and obfuscators to avoid signature-based detection or make changes to the network protocol to bypass static and behavioral analysis, Pontiroli added.
The tool includes a convenient browser-accessible administrative panel where users can generate payloads, view and manage clients and execute real-time commands on connected devices.
After installation and configuration, the RAT automatically gathers information about the host machine, including host name, MAC address, IP address and operating system (OS) name, and then initializes additional services based on the detected OS. The core command sent for Chaos RAT includes file listing, downloading, uploading and deletion, system shutdown and restart, system information and screenshot collection and opening of a URL on the system’s default browser.
Features exclusive to the Windows version include system locking, using the LockWorkStation function from user32.dll, and user sign-out using the shutdown -L command.
Additional arbitrary commands that are not included in the core command set are passed to the system’s command terminal, with the output delivered back to the server.
More recent samples of Chaos RAT store all data in a Base64-encoded string, while previous versions are stored data in plain text except for the token value.
“Recent developments around Chaos RAT highlight its continued use in offensive operations, even as active feature updates have slowed. As of version 5.0.3, released in 2024, Chaos RAT introduced native 64-bit support for both Linux and Windows clients,” Pontiroli told SC Media.
While more specific details about the most recent attacks are not available, Chaos RAT has previously been used in conjunction with cryptojacking campaigns, with its malicious use dating back to 2022.
The RAT is often spread via files masquerading as legitimate Linux utilities such as network_analyzer, appmonitor, and sysclean, and delivered through multi-stage loaders including shell scripts and bash droppers, according to Pontiroli.
Older versions of Chaos RAT were noted to be susceptible to vulnerabilities including a command injection flaw tracked as CVE-2024-30850 and a cross-site scripting flaw tracked as CVE-2024-31839, which could lead to hijacking of servers hosting Chaos RAT or the admin panel’s browser session, respectively.
In addition to Chaos RAT, threat actors are known to leverage other free, open-source RATs in malicious campaigns, with Acronis noting the use of NjRAT by APT41 and APT36, QuasarRAT by APT10, Pupy RAT by APT34 and APT45, and AsyncRAT by Blind Eagle.
SC Media reached out to the developer of Chaos RAT, Tiago Rodrigo Lampert, for comment and did not receive a response.
