A newly discovered cross-platform piece of malware called 'Chaos' is spreading on Linux and Windows systems to amass resources for distributed denial of service (DDoS) attacks against online gaming firms, crypto exchanges, and rival 'stressor' sites renting DDoS-as-a-service.
The malware, which was written in Go – Google's popular cloud and systems programming language – targets Windows and Linux operating systems, and supports multiple chip architectures that allow it to reside on routers, IoT devices, smartphones, and enterprise servers. These include x86, x86-64, AMD64, MIPS, MIPS64, ARMv5-ARMv8, AArch64 and PowerPC, according to Black Lotus Labs, the cybersecurity unit of US internet infrastructure firm Lumen.
Chaos exploits known but unpatched vulnerabilities in firewall devices to gain a foothold in a network. These include critical remote code execution flaws affecting Huawei's HG532 wireless routers for homes and small businesses (CVE-2017-17215) and a newer flaw in Zyxel's routers (CVE-2022-30525).
Lumen suggests the malware was created by Chinese actors who picked Go to craft malware that was difficult to reverse engineer. So far it has found 100 samples of Chaos, which allows its operators to profile a host environment, send remote commands to a device, add new capabilities, spread across a network by guessing SSH private keys, and launch DDoS attacks.
The malware has recently been used for DDoS attacks targeting sites in the gaming, financial services and technology, and media and entertainment sectors. It has also targeted a cryptocurrency exchange.
"Given the suitability of the Chaos malware to operate across a range of consumer and enterprise devices, its multipurpose functionality and the stealth profile of the network infrastructure behind it, we assess with moderate confidence this activity is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining," Lumen notes.
Kaiji was notable because it was written in Go, whereas most other IoT malware until then had been written in C or C++ – two widely used languages for programming software for 'bare metal' and embedded systems.
According to Lumen, Chaos is installed on a host device and then communicates with the embedded command and control (C2) server. The host receives several staging commands to propagate via a known vulnerability or SSH private keys.
"Based on the first set of commands, the host may receive a number of additional execution commands including performing propagation via the designated CVE and specified target lists, further exploitation of the current target, launching a specific type of DDoS attack against a specified domain or IP and port, and performing crypto mining," Lumen notes.
So far, Chaos infections are concentrated in Europe, but Lumen's maps also show 'hotspots' in North and South America, as well as Asia Pacific. No bots have been observed in Australia or New Zealand. Lumen saw just over 100 Chaos nodes in September, up from under 20 in April, with a big jump (~40 to ~90) between July and August.
The Chaos DDoS attacks used the UDP and TCP/SYN protocols across multiple ports. In September, the Chaos actors targeted a gaming site. Also, in mid-August, a DDoS-as-a-service provider that sells CAPTCHA bypass and 'unique' transport layer DDoS capabilities was targeted.