Description
A new Go-based malware dubbed Chaos has seen rapid growth in recent months infecting a wide range of devices from Windows, Linux, small office/home office (SOHO) routers and enterprise servers.
Summary
The new Chaos malware, not to be confused with the ransomware builder of the same name, was first spotted in April 2022 and began expanding exponentially in its infection rate over a one-month time period between mid-June and mid-July, affecting over one hundred devices in Europe, China and the U.S. The malware is written in Go-based programming language, granting it the ability to target multiple platforms, evade detection with ease and render reverse engineering difficult. Additionally, the malware has the versatility to operate across a wide range of architectures from x86, x86-64, AMD64, MIPS, MIPS64, ARMv5-ARMv8, AArch64 and PowerPC which are used by a wide range of device in computers, SOHO routers and enterprise servers.
The chaos malware functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute-forcing SSH private keys, as well as launch DDoS attacks as stated by researchers from the Lumens Black Lotus Labs. The main goal of the malware is to establish all infected devices to its botnet, where it can be readily available for crypto-mining and DDoS attacks. Its main propagation tactic is exploiting security vulnerabilities in devices, SSH brute-forcing and using stolen SSH keys. Once a device is hijacked by the malware, it establishes persistence by establishing a backdoor reverse shell that enables an attacker to reconnect to the device. Further analysis from the Lumens Black Lotus Labs team shows that the malware is written in Chinese and uses a China-based command and control (C2) infrastructure for its attacks.
Indicators of Compromise
For a list of IOCs related to the Chaos malware, following the URL: https://github.com/blacklotuslabs/IOCs/blob/main/Chaos_IoCs.txt
Remediation
To circumvent this type of malware, users are advised to follow the steps below:
Update and patch all devices on your network with the latest security patches as the Chaos malware leverages vulnerabilities in your devices to gain a foothold.
Employ a strong password policy and change default passwords on devices as Chaos also employs brute-forcing.
Disable remote root access on devices that do not require it. SSH keys should be stored securely and only on devices that require them.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Go-based malware called Chaos targets Windows and Linux devices.pdf
References
Gatlan, S (2022, September 28). New Chaos malware infects Windows, Linux devices for DDoS attacks. Retrieved from the BleepingComputer.
https://www.bleepingcomputer.com/news/security/new-chaos-malware-infects-windows-linux-devices-for-ddos-attacks/
Lakshmanan, R (2022, September 28). Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems. Retrieved from the Hacker News.
https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html
Black Lotus Labs (2022, September 28). Chaos is a Go-based Swiss army knife of malware. Retrieved from Lumen.
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=press+release&utm_medium=referral