Chaos: a powerful malware infecting multiple systems and architectures

Alfonso Maruccia

Posts: 99   +50
Staff
TL;DR: A powerful malware capable of infecting multiple systems and CPU architectures is making strides in Europe and elsewhere. The Chaos menace spreads through Windows and Linux, and is designed to execute remotely-issued commands by cyber-criminals.

Chaos is a novel malware written in the Go programming language with pretty unique capabilities. Discovered and analyzed by Black Lotus Labs, the research arm of security company Lumen, the new threat can infect a plethora of computing platforms both on the software and hardware front. There are more than a hundred infected machines as of now, a malicious network that could be leveraged to spread other threats and malware strains as well.

Black Lotus researchers named the new malware "Chaos" as the word has been repeatedly used in the code for function names, certificates and file names. Chaos started to emerge in April, the researchers say, and now there are more than 111 unique IPs belonging to infected devices. Chaos is a pretty flexible threat, as the aforementioned devices include standard PC units, small office routers and large enterprise boxes.

Chaos is indeed designed to run on several computing architectures, including traditional PC processors (i386), ARM, MIPS and PowerPC CPUs. On the software side, Chaos can run on Windows, Linux and FreeBSD as well. Unlike ransomware threats and botnets that employ spam campaigns to spread the infection, Chaos can spread by exploiting known CVE vulnerabilities and compromised SSH keys.

The samples analyzed by Black Lotus contained flaws affecting Huawei (CVE-2017-17215) and Zyxel (CVE-2022-30525) personal firewalls besides other, well-known CVEs. After infecting a machine, Chaos can use its various capabilities like enumerating all devices connected to a network, running remote shells to execute malicious commands and loading additional modules. According to researchers, the malware's complexity is proof that Chaos was made by a "cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining."

Black Lotus says Chaos is likely an offspring of Kaiji, a previously identified botnet targeting Linux (i386) servers for performing DDoS attacks. The malware is much more evolved now, considering its new powerful features and the ability to run on Windows and FreeBSD devices in addition to Linux. The compromised IPs identified by the security company are mostly located in Europe, with smaller infection spots in North and South America and in the Asia-Pacific region.

In concluding their analysis, the researchers suggest a few best practices to avoid being infected by a complex and dangerous threat like Chaos. Patch management for newly discovered vulnerabilities should be "effective," the authors say, while SOHO routers need regular reboot cycles (other than installing the latest firmware upgrades) as most router malware cannot survive a reboot. Furthermore, remote workers should change the default passwords and disable remote root access on machines that don't require it.

Permalink to story.

 

takaozo

Posts: 428   +658
"CVEs refer to the mechanism used to track specific vulnerabilities. Wednesday's report referred to only a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and CVE-2022-1388, an extremely severe vulnerability in load balancers, firewalls, and network inspection gear sold by F5. SSH infections using password brute-forcing and stolen keys also allow Chaos to spread from machine to machine inside an infected network."
source:https://arstechnica.com/information...fected-hundreds-of-linux-and-windows-devices/

So F5 BigIP was also impacted, also there are a lot of others not announced yet.

Best is to setup ACL for https and ssh access and of course no default account and password.
 

PEnnn

Posts: 957   +1,253
Linux too??

Hmmm, there was a time, like yesterday, or maybe the day before, when some people were screaming at us and claiming Linux is impervious to any virus known to man or machine!!
 

Tantor

Posts: 374   +645
Linux too??

Hmmm, there was a time, like yesterday, or maybe the day before, when some people were screaming at us and claiming Linux is impervious to any virus known to man or machine!!

Well... we know for sure that Linux is impervious to CV19. If that's any consolation!
 

WhiteLeaff

Posts: 57   +66
"The samples analyzed by Black Lotus contained flaws affecting Huawei (CVE-2017-17215) and Zyxel (CVE-2022-30525) personal firewalls besides other, well-known CVEs."

Nothing new here.