A new malware literally called Chaos is spreading globally

A new malware dubbed Chaos is capable of infecting a swath of Linux and Windows devices, ranging from routers to enterprise-grade server systems, Ars Technica reported.

Black Lotus Labs first discovered the malware, naming it based on the frequency of the word “chaos” in source file names, “function names, and self-signed X.509 certificates.” Chaos is written in the Go programming language, appears to be a descendant of an IoT-targeting botnet campaign called Kaiji, and leverages China-based web infrastructure for command and control. According to Black Lotus Labs, it first appeared in the wild no later than mid-April and now has over 100 servers devoted to spreading it.

Black Lotus Labs identified a standard attack pattern in which Chaos is installed on a target device, establishes persistence, and then contacts the command and control server operated by the operators. That server can then begin sending commands to exploit known CVEs, propagate through SSH via brute-forcing or stolen keys, or begin IP spoofing. From there, the operators can spread the infection further or switch to digging further into the target system or using it for profit.

Chaos is versatile enough to target many different types of computer architecture, with the operators behind the malware using it for purposes including DDoS attacks and crypto mining. That gives it a particular potency, the researchers wrote, and the operators of the malware have used it to target gaming, financial services, media, and hosting companies. Other targets have included DDoS-as-a-service providers, including one that advertises itself to customers as a “premier IP stressor and booter” service. According to the report:

First, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS, and PowerPC—in addition to both Windows and Linux operating systems. Second, unlike large-scale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.

Targets identified by Black Lotus Labs are mostly in Europe, although the infection has spread everywhere across the globe except Australia and New Zealand.

To protect against Chaos, the researchers recommend patching known CVEs, monitoring for signs of infection using indicators of compromise, and changing default passwords and removing unneeded root access on machines that can be accessed remotely. Additionally, owners of small office and home routers should keep those up to date and regularly reboot them, which clears many types of router malware.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.