Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Kaiji Botnet Successor ‘Chaos’ Targeting Linux, Windows Systems

Black Lotus Labs, Lumen Technologies’ threat intelligence team, has issued a warning on Chaos, the new variant of the Kaiji distributed denial-of-service (DDoS) botnet, targeting enterprises and large organizations.

Black Lotus Labs, Lumen Technologies’ threat intelligence team, has issued a warning on Chaos, the new variant of the Kaiji distributed denial-of-service (DDoS) botnet, targeting enterprises and large organizations.

Believed to be of Chinese origin, the Golang-based Kaiji malware emerged in early 2020, targeting Linux systems and internet of things (IoT) devices via SSH brute force attacks. By mid-2020, the threat was also targeting Docker servers.

The same as Kaiji, the recently observed Chaos malware is written in Go and uses SSH brute force attacks to infect new devices. Additionally, it also targets known vulnerabilities and uses stolen SSH keys for infection.

The threat works on multiple architectures, including ARM, Intel (i386), MIPS and PowerPC, and can run on both Linux and Windows, Black Lotus Labs says.

Once it has infected a device, Chaos establishes persistence and connects to an embedded command and control (C&C) server. Next, it receives staging commands, such as to start propagation via known CVEs or SSH, or to begin IP spoofing.

On infected Windows systems, the malware first creates a mutex by binding to a UDP port that it shields from analysis. If the binding fails, the malware exits its process.

Black Lotus Labs also observed numerous additional commands being sent to bots after the initial set of staging instructions. These commands would lead to new propagation attempts, further compromise of the infected device, DDoS attacks, or crypto-mining.

Chaos can also establish a reverse shell, using an open source script designed to run on Linux-native bash shells, allowing the attackers to upload, download or modify files on the target device.

Black Lotus Labs notes that, from mid-June through mid-July, it has observed hundreds of unique IP addresses representing Chaos-infected devices, followed by an uptick in new staging C&C servers in August and September.

Most of the infections are in Europe, North and South America, and Asia-Pacific (but not Australia or New Zealand).

In September, the botnet was observed launching DDoS attacks against over 20 organizations’ domains or IPs. Targeted entities span across multiple industries, including entertainment, financial, gaming, media, and hosting. Furthermore, it was seen targeting DDoS-as-a-service providers and a crypto mining exchange.

“Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS. And with a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild,” Black Lotus Labs concludes.

Related: Powerful ‘Mantis’ DDoS Botnet Hits 1,000 Organizations in One Month

Related: ‘Sysrv’ Botnet Targeting Recent Spring Cloud Gateway Vulnerability

Related: New ‘Enemybot’ DDoS Botnet Targets Routers, Web Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.