The Chaos malware, as reported by the Black Lotus Lab from Lumen, is able to work on different architectures: ARM, Intel (i386), MIPS and PowerPC, providing DDoS services, cryptocurrency mining and backdoor capabilities while written for both Windows and Linux operating systems.
The malware is fully written in the Go programming language, which enables developers to more easily port their software to various different operating systems. They only need to write the malware code once before compiling binaries for multiple platforms. It has become increasingly common to find malware written in Go, as it is more difficult to analyze for security researchers.
What Chaos malware is capable of doing
Chaos, in addition to being able to work on multiple platforms, has also been designed to use known vulnerabilities and brute force SSH. Lumen researchers assess that Chaos is an evolution from the DDoS malware Kaiji based on code and function overlaps.
SEE: Mobile device security policy (TechRepublic Premium)
Once run on a system, the malware establishes persistence and communicates with its command and control server. The server in turn answers with one or more staging commands serving different purposes before possibly receiving more commands or additional modules (Figure A).
Communications to the C2 are established on a UDP port determined by the device’s MAC address. The initial message sent to the C2 sends a single word — “online” — together with the port number, Microsoft Windows version and architecture information.
Interestingly, if determining the Windows version fails, the malware sends “windwos 未知” — the Chinese characters meaning “unknown.” The port will also change from one infected device to the other, rendering network detection harder.
On Linux systems, the malware sends operating system but not architectural information. If it fails, it sends a message in Chinese meaning “GET failed.”
Once a successful connection is established, the C2 sends the staging commands, which can be:
- Automatic propagation via the Secure Shell protocol, compromising additional machines by using keys stolen from the host, brute force or a downloaded password file
- Setting a new port for accessing additional files on the C2 server that are used by other commands: password.txt, download.sh and cve.txt
- Spoofing IP addresses on Linux systems to modify network packet headers during a DDoS attack to appear as coming from different machines
- Exploiting various known vulnerabilities
Once the initial communications are done with the C2 server, the malware will sporadically receive more commands, such as executing propagation through exploitation of predetermined vulnerabilities on target ranges, launching DDoS attacks or initiating crypto mining.
The malware can also provide a reverse shell to the attacker, who can then execute more commands on infected systems.
Concerns grow as Chaos is spreading fast
Lumen’s Black Lotus Labs telemetry indicates that the malware spreads at a quick pace. Hundreds of unique IP addresses representing compromised machines running the Chaos malware have appeared from mid-June to mid-July in Europe, east Asia and the Americas (Figure B).
The number of C2 servers has also grown. The researchers have been able to track the C2 servers based on the self-signed SSL certificates used, which contained the single word Chaos as the issuer. While initially only 15 instances of C2 servers could be found, the earliest one being generated on April 16, 2022, it reached 111 different servers as of September 27, with most of them being hosted in Europe.
Interactions with the C2 servers came from embedded Linux devices as well as enterprise servers.
What is the goal of the malware?
Chaos malware has been developed to accomplish several different tasks. It is able to launch DDoS attacks on selected targets and pretend those attacks come from multiple hosts. If hundreds of infected machines received the order to start attacking one target, it might be successful in disrupting or slowing down Internet activities.
Lumen observed the targeting of entities involved in gaming, financial services and technology, media and entertainment, and hosting companies, but it also targeted a cryptomining exchange and a DDoS-as-a-service provider.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Chaos malware is also able to drop cryptocurrency miners and start using an infected computer for mining. The researchers observed the download of a Monero cryptocurrency miner along with a working configuration file. Once executed, the payload uses the machine’s processing power to generate Monero cryptocurrency.
In addition, Chaos also allows attackers to propagate on other computers by exploiting different common vulnerabilities, and provides a reverse shell to the attacker. None of these activities seem cyberespionage-oriented. It seems the malware is used exclusively for financial purposes.
How can security professionals protect their organizations from this threat?
The initial infection vector is unknown, yet it is probable it comes from emails or browsing, which are the two main vectors of infection for such malware.
It is strongly advised to have all operating systems, devices and software updated and patched. Chaos malware sometimes exploits common vulnerabilities, and being fully patched can prevent the malware from further spreading in the network.
It is also advised to deploy security tools such as endpoint detection and response in order to possibly detect the malware before it is launched. SSH keys should be stored securely only on devices that require them, and remote root access should be forbidden on any machine that does not need it.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.