A threat actor possibly based in China is deploying a new multiplatform piece of malware named Chaos that is infecting SOHO routers, brute-forcing SSH password, ising known vulnerabilities to propagate, and launching DDoS attacks against a variety of targets.
Chaos is related to the Kaiji malware, which has been circulating for about two years, and is mainly used for DDoS attacks. Both Chaos and Kaiji are written in Go and use SSH brute force attacks as one of their propagation methods. Researchers at Lumen Technologies’ Black Lotus Labs have discovered Chaos infections around the world, all of which are communicating with C2 infrastructure based in China and said the DDoS attacks launched by the malware have targeted financial, gaming, and technology companies, as well as at least one cryptocurrency exchange. The botnet itself is not very large at this point, but has the potential to grow quickly, given that there are Windows and Linux variants of Chaos, and the malware can run on a number of different architectures, including ARM, Intel, and PowerPC.
The initial infection vector for Chaos isn’t clear at this point, but once the malware is on a new device, it contacts the C2 server, which is hard-coded in the malware, and waits for commands.
“The host then receives one or more staging commands depending on the sample and the host environment: these include commands to initialize propagation through exploiting a known CVE, to automatically propagate through SSH via brute-forcing or leveraging stolen SSH keys and to begin IP spoofing,” the Black Lotus Labs analysis says.
“Based on the first set of commands, the host may receive a number of additional execution commands including performing propagation via the designated CVE and specified target lists, further exploitation of the current target, launching a specific type of DDoS attack against a specified domain or IP and port, and performing crypto mining.”
“Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored."
Chaos has the ability to exploit some known vulnerabilities, and Black Lotus Labs researchers observed the malware targeting at least two flaws, one in the Zyxel Firewall and one in the Huawei HG532 personal firewall. Both of those bugs are several years old and the actors using Chaos have the ability to update the exploit portion of the malware with commands for other bugs. Chaos also has the ability to establish a reverse shell on an infected device and in some cases installs a cryptominer. There is a module to launch several types of DDoS attacks against specific IP addresses, as well.
“Based upon our analysis of the functions within the more than 100 samples we analyzed for this report, we assess Chaos is the next iteration of the Kaiji botnet. Kaiji was originally discovered in 2020 targeting Linux-based AMD and i386 servers by leveraging SSH brute forcing to infect new bots and then launch DDoS attacks,” the analysis says.
“Given the suitability of the Chaos malware to operate across a range of consumer and enterprise devices, its multipurpose functionality and the stealth profile of the network infrastructure behind it, we assess with moderate confidence this activity is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining.”
Researchers believe Chaos first emerged in April, and its activity has been increasing steadily in the months since. The malware has infected SOHO routers, embedded Linux devices, and enterprise servers. The shift to remote work in the last couple of years has made home routers and other devices that typically sit outside of a corporate network juicy targets for attackers.
“Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS. And with a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild,” the Black Lotus Labs analysis says.