Go-based Chaos malware is rapidly growing targeting Windows, Linux and more

A new multifunctional Go-based malware dubbed Chaos is targeting both Windows and Linux systems, experts warn.

Researchers from Black Lotus Labs at Lumen Technologies, recently uncovered a multifunctional Go-based malware that was developed to target devices based on multiple architectures, including Windows and Linux.

The malicious code was developed to target a broad range of devices, including small office/home office (SOHO) routers and enterprise servers. The Chaos malware includes capabilities previously documented in the original Kaiji Linux botnet.

The experts analyzed roughly 100 samples of the Chaos malware, which was written in Chinese and relies on a China-based C2 infrastructure.

“Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute forcing SSH private keys, as well as launch DDoS attacks.”  reads the analysis published by Lumen Technologies.

The experts were able to enumerate the C2s and targets of multiple distinct Chaos clusters, some of which were employed in recent DDoS attacks against the gaming, financial services and technology, and media and entertainment industries. researchers warn that despite the botnet infrastructure today is comparatively smaller than some of the leading DDoS malware families, Chaos is rapidly growing.

“Given the suitability of the Chaos malware to operate across a range of consumer and enterprise devices, its multipurpose functionality and the stealth profile of the network infrastructure behind it, we assess with moderate confidence this activity is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining.” continues the report.

The analysis of the infections from mid-June to mid-July 2022 revealed that most of the bots are located in Europe, specifically Italy. Other infections were observed in North and South America and Asia Pacific.

The Chaos malware supports more than 70 different commands, including executing propagation through the exploitation of pre-determined CVEs, launching DDoS attacks or starting crypto mining.

Some samples analyzed by the experts were able to exploit the CVE-2017-17215 and CVE-2022-30525, respectively impacting Huawei and Zyxel devices.

“While the shift to Go-based malware has been underway for the last few years, there are few strains that demonstrate the breadth of Chaos in terms of the wide array of architectures and operating systems it was designed to infect. Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS.” concludes the report. “And with a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild..”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Chaos malware)

[adrotate banner=”5″]

[adrotate banner=”13″]