Chaos malware targets multiple architectures
According to researchers from Lumen-based Black Lotus Lab, a new Chaos malware is targeting multiple architectures to spread DDoS, cryptocurrency miners, and install backdoors.
The malware is written in Go programming language, a major reason why it is easy for developers to port their software to different operating systems. Some of the capabilities of the malware include the provision of DDoS services, cryptocurrency mining, and backdoor features.
According to Lumen researchers, the malware is an evolution of the Kaiji DDoS malware, which is based on code and function overlaps.
Chaos is designed to exploit known vulnerabilities and brute force SSH. Once executed on a system, the malware establishes persistence and communicates with its commands and the control server. The server responds with one or more staging commands that serve different purposes before possibly receiving additional commands or modules.
Communication to the C2 takes place via a UDP port, which is determined by the MAC address of the device. As soon as a successful connection is established, the C2 sends staging commands, including automatic propagation, a new port for accessing additional files on the C2 server, spoofing IP addresses on Linux systems, and exploiting known vulnerabilities.
After the first communication with the C2 server, the malware receives sporadic additional commands. The commands include the execution of propagation by exploiting predefined vulnerabilities in target areas, launching DDoS attacks, or initiating crypto-mining.
The malware can provide a reverse shell to the attacker who can then execute further commands on infected systems.
Chaos malware can launch DDoS attacks on selected targets and pretend that these attacks come from multiple computers. Chaos malware can also drop cryptocurrency miners and use an infected computer for mining. The malware can also allow attackers to spread to other computers by exploiting various common vulnerabilities.
To protect organizations from this threat, it is important that organizations update and patch all operating systems, devices, and software, and that they use security tools such as endpoint detection and response to detect the malware before it is launched and take steps to contain it.
The sources for this piece include an article in TechRepublic.