A newly discovered form of cross-platform malware has been found in the wild infecting Linux and Windows devices, including servers, routers and FreeBSD boxes.
Detailed Wednesday by researchers at Black Lotus Labs, the threat intelligence arm of Lumen Technologies Inc., the new “Chaos” malware is written in the Go programming language. The name comes from the threat group behind it. The code for Chaos is written in Chinese and leverages China-based infrastructure for command and control.
Chaos, which the researchers describe as a Swiss Army knife of malware,” includes a range of function. That includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing, brute forcing SSH private keys and the ability to launch distributed denial of service attacks.
Using Lumen global network visibility, the researchers analyzed about 100 samples of the malware and found several distinct Chaos botnet clusters and successful attacks. The attacks include a successful compromise of a GitLab server and a spate of recent DDoS attacks targeting the gaming, financial services, technology, media and entertainment industries. Chaos has also targeted distributed-denial-of-service-as-a-service providers and a cryptocurrency exchange.
Although the researchers note that the botnet infrastructure being used by Chaos is smaller than some of the leading DDoS malware families, the malware has proliferated in the last few months.
“Given the suitability of the Chaos malware to operate across a range of consumer and enterprise devices, its multipurpose functionality and the stealth profile of the network infrastructure behind it, we assess with moderate confidence this activity is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining,” the researchers state.
Given that one of the main ways Chaos spreads is through the exploitation of known vulnerabilities, the researchers recommend that network defenders ensure effective patch management of newly discovered Common Vulnerabilities and Exposures and monitor any connections to suspicious infrastructure.
Remote workers are advised to change default passwords and disable root access on machines that don’t require it. Consumers with routers are advised to reboot routers and install security updates and patches regularly.
“The trend of writing malware in Go and other nontraditional languages is increasing as features of the language allow its use across multiple platforms,” Ryan English, project manager at cybersecurity training company Cybrary Inc.’s Threat Intelligence Group, told SiliconANGLE. “In many cases, antivirus software struggles to detect malware written in Go and with fewer practitioners, reverse-engineering and analysis is not as common.
English warned that Chaos is highly adaptive and difficult to find. “It is successful against IoT devices, home routers and major platforms like Windows and Linux machines,” English said. “The actor is able to create their own network over compromised machines… essentially creating a private cloud net for bad guys from which they can carry out any number of attacks, steal resources, launch DDoS and make attribution that much more difficult.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.