Lumen Technologies' threat intelligence team, Black Lotus Labs, has issued a warning about Chaos, a new variant of the Kaiji distributed denial-of-service (DDoS) botnet that targets enterprises and large organisations.
The Golang-based Kaiji malware is presumed to be of Chinese origin and emerged in early 2020, targeting Linux systems and internet of things (IoT) devices via SSH brute force attacks. By mid-2020, the threat had expanded to include Docker servers.
The recently discovered Chaos malware, like Kaiji, is written in Go and uses SSH brute force attacks to infect new devices.
Additionally, it targets known vulnerabilities and infects with stolen SSH keys.
The threat is compatible with multiple architectures, including ARM, Intel (i386), MIPS, and PowerPC, and it can run on both Linux and Windows, according to Black Lotus.
Chaos establishes persistence and connects to an embedded command and control (C&C) server after infecting a device. Following that, it receives staging commands, such as starting propagation via known CVEs or SSH or starting IP spoofing. The malware first creates a mutex on infected Windows systems by binding to a UDP port that it hides from the analysis. If the binding fails, the malware's process terminates.
After the initial set of staging instructions, Black Lotus Labs observed numerous additional commands being sent to bots. These commands would result in new propagation attempts, additional compromise of the infected device, DDoS attacks, or crypto-mining.
Chaos can also build a reverse shell on the target device by using an open-source script designed to run on Linux-native bash shells, allowing the attackers to upload, download, or modify files. From mid-June to mid-July, Black Lotus Labs observed hundreds of unique IP addresses representing Chaos-infected devices, followed by an increase in new staging C&C servers in August and September. The majority of infections occur in Europe, North and South America, and Asia-Pacific (but not Australia or New Zealand).
In September, the botnet was spotted launching DDoS attacks against the domains or IP addresses of over 20 organisations. The entities targeted are from various industries, including entertainment, finance, gaming, media, and hosting. It was also seen targeting DDoS-as-a-Service providers and a cryptocurrency mining exchange.
Black Lotus Labs concluded, “Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS. And with a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild.”
