The number of attacks involving a new Go-based botnet, dubbed Chaos, has been rapidly increasing in recent months, according to research released from Lumen’s Black Lotus Labs. The malware has been seen infecting a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers.
While the initial access vector is unknown, Chaos was seen propagating from infected targets to non-infected targets via CVE exploitation. A unique aspect of Chaos is that it supports a multitude of architectures to install on including x86, x86-64, AMD64, MIPS, MIPS64, Armv5-ARMv8, AArch64, and PowerPC. Two examples of CVEs seen exploited by Chaos include CVE-2017-17215 and CVE-2022-30525, which respectively exploit vulnerabilities in Huawei and Zyxel personal firewalls and allow for unauthenticated remote command injection on the target.
Once Chaos executes on a device, it first establishes persistence via a Registry Run key and then beacons out to its Command and Control (C2) server. The C2 server responds with initialization commands that include configuring access for the C2 server to download additional files, compromising additional devices through SSH by means of key theft or brute force, and configuring the device to allow for IP spoofing.
Once initialization has been completed, the malware awaits further instructions from the C2 server. Chaos includes a multitude of commands that can be executed by the threat actor, including the capability to download and launch a Perl-based reverse shell, initiate a DDoS attack, or install a cryptocurrency miner.
Chaos is attributed by Lumen researchers to Chinese-speaking threat actors due to its use of China-based infrastructure for C2 and also due to hard-coded presence of strings partially or fully written in Chinese characters.
Not all the infection vectors used by Chaos are known; however, the utilization of CVE exploitation to propagate to other systems has been well established. It is highly recommended to ensure that all devices, particularly any externally facing ones, are up to date on patching. Due to Chaos’ ability to infect a multitude of devices based on its wide architecture support, this also includes any networking equipment or ARM-based devices as well. It is also recommended to maintain endpoint security controls, such as an EDR, on all devices to be able to prevent malware or processes exhibiting abnormal behavior from executing. Logging mechanisms should also be in place on all devices, to alert upon suspicious behavior in cases where prevention may fail. In particular for Chaos, this includes behaviors like a Registry Run key being created by an abnormal process; an executable being placed and executed from within the ProgramData folder; and a well-known Windows binary (csrss.exe) executing out of a non-standard location and making network connections. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.