The Go-based malware, dubbed “Chaos,” is most likely controlled by a Chinese threat actor. The researchers found that its code was written in Chinese, and it was launched from China-based command-and-control servers. Chaos’ targets are spread around the globe, and the interlinked staging servers used to run the malware are multiplying quickly, amounting to over 100 in just six months. Hotspots of activity were found primarily in Europe but also across North and South America, as well as the Asia Pacific region. “We assess with moderate confidence this activity is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage initial access, DDoS attacks and crypto mining,” Black Lotus Labs said.
‘Swiss Army Knife’ Malware
After reviewing about 100 unique samples of Chaos discovered from June to mid-July, the researchers at Black Lotus Labs found that it mainly spreads by exploiting known, unpatched vulnerabilities as well as hacked and stolen encryption keys. The versatility of Chaos is what makes it particularly disturbing. “Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute forcing SSH private keys, as well as launch DDoS attacks,” the researchers wrote. The Black Lotus team observed Chaos being used to launch DDoS attacks on organizations in the gaming, financial services, entertainment, media, and hosting sector. They also saw Chaos targeting a crypto mining exchange, and, ironically, DDoS-as-a-service providers. Chaos can “work across several architectures; including: ARM, Intel (i386)m MIPS and PowerPC,” as well as Windows and Linux devices. Specific vulnerabilities exploited by Chaos affect firewalls sold by Huawei and network gear sold by F5. Black Lotus researchers believe Chaos is an evolution of Kaiji, a DDoS malware that surfaced in 2020. This malware is distinct from a ransomware builder that’s also known as Chaos.
Security Recommendations
High-level malware powered by zombie botnets of hacked devices, like the now defunct “Emotet” and more recent “RSOCKS,” represents a global security risk. Black Lotus Labs have laid out the following security recommendations for cybersecurity departments, consumers with small office and home office SOHO routers, and remote workers;
Network defenders should quickly patch software vulnerabilities using the technical red flags described in the report Consumers with small office and home office routers should follow EDR solutions on hosts and regularly reboot their routers, as well as ensure they are updated Remote workers should use complex passwords as opposed to default ones, disable remote root access on devices where possible, and store SSH encryption keys only where required Organizations should consider Secure Access Service Edge (SASE) and DDoS protection
Find out more about the hacking methods elite-level threat actors use in our guide to botnets.