Chaos, new multipurpose malware written in the Go programming language, is spreading across the world.
“We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating,” said Mark Dehus, director of threat intelligence at Lumen‘s Black Lotus Labs.
Versatile and potent
Chaos is designed to work across several architectures, including ARM, Intel (i386), MIPS and PowerPC. It was developed for Windows, Linux, and a wide array of consumer devices, small office/home office (SOHO) routers and enterprise servers.
The malware exploits known vulnerabilities and enables the actor to:
- Scan the target system to profile it for future commands
- Automatically initiate lateral movement and propagation through SecureShell (SSH) by using private keys that are either stolen or obtained using brute force
- Launch DDoS attacks and initiate cryptomining
The prevalence of malware written in Go has increased dramatically in recent years due to the language’s flexibility, low antivirus detection rates and difficulty to reverse-engineer, Black Lotus Labs analysts noted.
The Chaos malware is potent because it works across a variety of architectures, targets devices and systems (e.g., SOHO routers and FreeBDS OS) that are not routinely monitored as part of an enterprise security model, and propagates through known vulnerabilities and SSH keys that are either stolen or obtained through brute force.
Chaos malware is spreading
Beginning in June, analysts discovered several distinct Chaos clusters that were written in Chinese. The clusters leveraged China-based command and control (C2) infrastructure that grew rapidly in August and September.
Chaos bot infections are mostly concentrated in Europe (Italy, France, Spain, Germany), the U.S., and China.
The actor compromised at least one GitLab server and launched numerous DDoS attacks on organizations in the gaming, financial services and technology, media/entertainment, cryptocurrency, and even DDoS-as-a-Service industries. The targets spanned organizations in the EMEA, APAC and North American regions.
“The Chaos malware targets known vulnerabilities,” Dehus added, “we recommend network administrators practice rigorous patch management, and use the IoCs (Indicators of Compromise) outlined in our report to monitor for infection or connections to suspicious infrastructure. Consumers and remote workers should enable automatic software updates, and regularly update passwords and reboot hardware.”
Black Lotus Labs believes this malware is not related to the Chaos ransomware builder discovered in 2021; rather, the overlapping code and functions suggest it is likely the evolution of Kaiji, a DDoS malware discovered in 2020.