Typically, malware is designed to attack a single operating system. But the chaos is different. The threat is cross-platform as it can infect Windows and Linux machines to start DDoS attacks or mining cryptocurrency. In fact, it even attacks routers. As the name suggests, we are facing a “chaotic” plague.
The name Chaos was given by Black Lotus, the research division of the digital security company Lumen. It’s not just because malware strikes terror. The word “chaos” appears in several files and functions that make up the plague.
But the question that remains is: how this invader manages to attack so much equipment?
The modus operandi of Chaos
For starters, Chaos was developed in the Go language to support multiple architectures. x86, AMD64, Mips and ARMv8 are among them. And, as you already know, malware can attack Windows and Linux systems.
In addition, the pest relies on two strategies to propagate. One is to exploit unpatched flaws in software. The other, in accessing systems via SSH through stolen or discovered keys via brute force.
Have more. After infecting a device, Chaos tries to infect other devices that are connected to the same network.
This combination of factors allows the threat to not only compromise PCs, but maintain routers and servers. The plague has even been found on machines running FreeBSD.
The purpose of Chaos is to set up a botnetthat is, a network of devices “enslaved” to perform specific tasks. According to Black Lotusthe malware creates a kind of reverse shell to allow its creators to connect to the affected machine at any time to send orders.
From there, the botnet formed by Chaos can be used to carry out DDoS attacks (denial of service) or mining cryptocurrency. Other actions can also be performed, but these are the main ones.
Does it work? Since April, when the malware was first identified, Black Lotus has detected hundreds of IP addresses associated with infected devices.
The company’s researchers also found that the botnet has several organizations among its targets. DDoS attacks performed with Chaos have been identified against gaming, media and financial services companies, for example. Even a cryptocurrency exchange came under attack.
Most of the infected devices are based in Europe, explains Black Lotus. But compromised machines have been identified almost all over the world. This aspect makes it clear that Chaos’ performance should not be overlooked.
It is unclear whether there is a known group behind the malware. It is known, however, that its command infrastructure is based in China.
Successor to the Kaiji malware?
Chaos has enormous damage power, but not on its own merits. Black Lotus found evidence that the plague uses resources from other malware, the Kaiji. The latter was discovered in 2020, it targeted servers running Linux and infected those machines with brute force over SSH.
As always, the best medicine is prevention. Trivia precautions are a good start, such as using strong passwords, keeping your operating system up to date, and installing the latest router firmware.