Black Lotus Labs, Lumen Technologies’ threat intelligence team, has issued a warning on Chaos, the new variant of the Kaiji distributed denial-of-service (DDoS) botnet, targeting enterprises and large organizations.
Believed to be of Chinese origin, the Golang-based Kaiji malware emerged in early 2020, targeting Linux systems and internet of things (IoT) devices via SSH brute force attacks. By mid-2020, the threat was also targeting Docker servers.
The same as Kaiji, the recently observed Chaos malware is written in Go and uses SSH brute force attacks to infect new devices. Additionally, it also targets known vulnerabilities and uses stolen SSH keys for infection.
The threat works on multiple architectures, including ARM, Intel (i386), MIPS and PowerPC, and can run on both Linux and Windows, Black Lotus Labs says.
Once it has infected a device, Chaos establishes persistence and connects to an embedded command and control (C&C) server. Next, it receives staging commands, such as to start propagation via known CVEs or SSH, or to begin IP spoofing.
On infected Windows systems, the malware first creates a mutex by binding to a UDP port that it shields from analysis. If the binding fails, the malware exits its process.
Black Lotus Labs also observed numerous additional commands being sent to bots after the initial set of staging instructions. These commands would lead to new propagation attempts, further compromise of the infected device, DDoS attacks, or crypto-mining.
Chaos can also establish a reverse shell, using an open source script designed to run on Linux-native bash shells, allowing the attackers to upload, download or modify files on the target device.
Black Lotus Labs notes that, from mid-June through mid-July, it has observed hundreds of unique IP addresses representing Chaos-infected devices, followed by an uptick in new staging C&C servers in August and September.
Most of the infections are in Europe, North and South America, and Asia-Pacific (but not Australia or New Zealand).
In September, the botnet was observed launching DDoS attacks against over 20 organizations’ domains or IPs. Targeted entities span across multiple industries, including entertainment, financial, gaming, media, and hosting. Furthermore, it was seen targeting DDoS-as-a-service providers and a crypto mining exchange.
“Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS. And with a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild,” Black Lotus Labs concludes.