Researchers at Black Lotus Labs, security firm Lumen Technologies’ research unit, have identified a novel cross-platform malware. Dubbed Chaos by researchers, this malware has infected numerous Windows and Linux devices, including enterprise servers, FreeBSD boxes, and small office routers.
Researchers Discovered ‘Chaos’
Lumen’s researchers have dubbed the malware Chaos because this word repeatedly appears in file names, function names, and certificates that the malware uses. The malware is written in Chinese and uses a China-based command and control infrastructure.
The malware was first detected on 16 April after its first control servers cluster went live in the wild. Between June and mid-July, hundreds of unique IP addresses were detected that represented devices infected with Chaos.
In recent months, the infection rate has intensified, with the number of compromised devices increasing from 39 in May to 93 in August and 111 in September. They analyzed around 100 samples of Chaos malware.
Chaos- a Multifunctional Malware
Black Lotus Labs researchers wrote that Chaos is a Go-based, multifunctional malware that targets devices based on multiple platforms such as Windows and Linux.
In their report, researchers noted that the malware’s potency is because of several factors, such as its capability to work across multiple architectures, including MIPS, ARM, PowerPC, and Intel (i386), apart from its effects on the two operating systems. This malware supports 70 different commands.
“Chaos functionlity includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute forcing SSH private keys, as well as launch DDoS attacks.”
Black Lotus Labs
Chaos and Kaiji IoT Malware Comparison
Moreover, Chaos malware is different from ransomware-delivering botnets such as Emotet, which use spamming to be distributed because it spreads through brute force, CVEs, and stolen SSH keys.
The researchers further observed that Chaos’s code base and functional overlapping make it similar to Kaiji IoT malware known for compromising Linux devices for DDoS attacks.
After enumerating the C2 servers of Chaos malware and multiple clusters, researchers identified that some were used in recent DDoS attacks against technology, financial services, gaming, entertainment, and media sector firms.
Researchers concluded that although the botnet infrastructure is relatively small compared to some mainstream DDoS malware families, Chaos is quickly growing. They further added that given its design and novelty, it seems like the work of a ‘cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks, and crypto mining.’
Location
Most bots are located in Europe, particularly Italy but infections were also observed in Asia Pacific, South America, and North America. In some samples, researchers noticed that attackers exploited the CVE-2017-17215 and CVE-2022-30525 vulnerabilities, which impacted Zyxel and Huawei devices.