New Chaos Malware Targets Linux and Windows for Crypto Mining & DDoS Attacks

Black Lotus Labs, the threat intelligence team of Lumen Technologies, has discovered a new multi-function malware making rounds on the cybersphere. Dubbed Chaos, the malware is designed to carry out several types of cyberattacks against Windows and Linux systems.

The earliest certificate researchers discovered was dated April 16, 2022, the same time the first cluster activity was registered. At the time, IP addresses with self-signed certificates containing the word Chaos were at 15, which doubled in May to 39.

As of September 2022, the number of Chaos nodes has climbed to 111, surpassing 93 in August. Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs, said, “We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating.”

“Chaos poses a threat to a variety of consumer and enterprise devices and hosts,” Dehus added. 

Devices at risk from Chaos malware include small office/home office (SOHO) routers, enterprise servers, devices with FreeBSD OS, Windows, and Linux, running on architectures such as ARM (v5 through v8), Intel (x86, x86-64), AMD64, MIPS and MIPS64, AArch64 and PowerPC.

Using the malware, its operators, possibly Chinese, have targeted organizations in gaming, financial services, technology, media and entertainment industries, and cryptocurrency exchanges through DDoS attacks. Threat actors behind Chaos even successfully compromised a GitLab server and targeted fellow cybercriminals involved in DDoS-as-a-service operations.

Black Lotus Labs researchers Danny Adamitis, Steve Rudd and Stephanie Walkenshaw analyzed almost 100 Chaos malware samples and summarized: “Given the suitability of the Chaos malware to operate across a range of consumer and enterprise devices, its multipurpose functionality and the stealth profile of the network infrastructure behind it, we assess with moderate confidence this activity is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining.”

The researchers describe Chaos as the “next iteration of the Kaiji,” a botnet discovered in 2020 that leverages SSH brute forcing to infect new bots to instigate DDoS attacks. Chaos goes beyond Kaiji and metastasizes through SSH key harvesting and automatic vulnerability exploitation to target multiple new architectures, not to mention Windows (in addition to Linux).

“With a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild,” the researchers noted.

Chaos is written in Go, a language that offers agility, flexibility, difficulty to reverse-engineer, and cross-platform code compilation capabilities (something that many applications lack even today). Denonia, a recent crypto mining malware designed to target AWS Lambda, is also written in Go, though it does not execute on multiple platforms.

See More: New Ducktail Malware Can Bypass Facebook Account Safeguards

However, unlike Denonia, which is purely used for illicit crypto mining by hijacking AWS Lambda resources, Chaos has much broader applicability for cybercriminal activities.

The Chaos attack chain includes the initial setup of the malware on a target machine, establishing persistence, executing staging commands, any additional execution commands, installing a reverse shell, and finally, DDoS or crypto mining operations.

Chaos Attack Infection Chain | Source: Black Lotus Labs (Lumen Technologies)

A differentiating characteristic of Chaos over other malware strains is that it can carry out automated vulnerability exploitation for lateral movement or SSH via brute-forcing with stolen SSH keys. Additionally, the reverse shell enables the malware operator to upload, download or modify files from the command and control (C2) infrastructure located in China.

A few known vulnerabilities that Chaos had listed for exploitation were CVE-2017-17215 and CVE-2022-30525, both of which are remote code execution flaws and reside in personal firewalls by Huawei and Zyxel, respectively. The malware also exploits CVE-2022-1388, a vulnerability in F5’s BIG-IP devices that allows threat actors to execute code arbitrarily to create, delete files, or disable services.

Technical details of the malware are available in a Lumen blog post.

Chaos bots are most prevalent in Europe, according to Black Lotus Labs telemetry data, though the malware was also discovered in some countries in the Americas and Asia-Pacific. Lumen found traffic was absent in Australia, New Zealand, and Africa.

Global Distribution of Chaos Malware | Source: Lumen Technologies

Considering Chaos targets devices that aren’t routinely monitored, consistent monitoring should go a long way in thwarting attacks. More importantly, Black Lotus Labs researchers advised performing appropriate and periodic patch management procedures since it scans for vulnerabilities to spread its infection.

Additionally, admins/users need to change the default passwords with which SOHO routers are shipped and disable remote root access where it is not necessary. Avoid theft of SSH keys by storing them on devices that need them.

Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!

MORE ON MALWARE