Botnet of devices infected with Chaos malware ‘rapidly growing’ across Europe – The Record by Recorded Future
September 28, 2022
A multi-purpose malware written in the Go programming language is raising alarms among researchers worried about its spread in Europe.
Lumen Technologies’ threat intelligence team — Black Lotus Labs — dubbed the malware “Chaos” and said it was built for Windows and Linux as well as a wide array of consumer devices, enterprise servers and small office/home office routers. Chaos is one of several examples of cybercriminals turning to the Go programming language when writing malware — the language is flexible to use, has low rates of antivirus detection and is difficult to reverse-engineer.
The malware is allegedly an evolution of the DDoS malware Kaiji, which researchers highlighted in 2020. The latest additions include the ability to automatically exploit known vulnerabilities and provide its operators with ways to scan a target system, automatically move laterally and propagate through a system, launch DDoS attacks and initiate crypto-mining operations.
“We are seeing a complex malware that has quadrupled in size in just two months, and it is well positioned to continue accelerating,” said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. The researchers examined 100 samples of the malware.
“Chaos poses a threat to a variety of consumer and enterprise devices and hosts. The Chaos malware targets known vulnerabilities.”
In June, the researchers found several Chaos clusters that were written in Chinese and leveraging command and control infrastructure based in China, expanding further in the country throughout August and September.
Black Lotus Labs found hundreds of unique IP addresses representing compromised Chaos bots from mid-June through mid-July, with most heavily concentrated in Europe. They also found bots in North and South America, as well as the Asia Pacific region.
Since they first spotted 15 active nodes with similar self-signed certificates that contained the word “Chaos” in the organization name, the number has grown. By May it was at 39 and it hit 93 in August.
As of September 27 it reached 111.
“We observed interactions with these servers from both embedded Linux devices as well as enterprise servers, such as one in Europe that was hosting an instance of GitLab. Like the Chaos bots depicted in the heatmap above, the majority of the entities communicating with the staging servers were located in Europe with few devices distributed globally,” the researchers said.
“Over the first few weeks of September, our Chaos host emulator received multiple DDoS commands targeting roughly two dozen organizations’ domains or IPs. Targeted entities included gaming, financial services and technology, media and entertainment, and hosting.”
The report attributes Chaos to a cybercriminal group or individual that is intentionally cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto-mining for the Monero currency.
While no current botnet infrastructure resembles past behemoths that could leverage more than 100,000 or 500,000 infected devices, Chaos has grown rapidly over the last few months, according to the researchers.
Chaos is also distinct because the operators behind the malware can list out designated vulnerabilities it should target. At least one bot received more than 70 different commands over the course of a few days, according to the researchers.
The vulnerabilities listed included one affecting Huawei – CVE-2017-17215 – and another affecting a Zyxel personal firewall: CVE-2022-30525. But the researchers noted that the CVE file appears “trivial” and that dozens of bugs are abused.
The Chaos malware is also particularly harmful because it targets devices and systems that typically are not monitored by security systems.
The CVE exploitation feature is a new addition to the capabilities of a malware that can be traced back to 2020.
Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.