The number of attacks involving a new Go-based botnet, dubbed Chaos, has been rapidly increasing in recent months, according to research released from Lumen’s Black Lotus Labs. The malware has been seen infecting a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers.
While the initial access vector is unknown, Chaos was seen propagating from infected targets to non-infected targets via CVE exploitation. A unique aspect of Chaos is that it supports a multitude of architectures to install on including x86, x86-64, AMD64, MIPS, MIPS64, Armv5-ARMv8, AArch64, and PowerPC. Two examples of CVEs seen exploited by Chaos include CVE-2017-17215 and CVE-2022-30525, which respectively exploit vulnerabilities in Huawei and Zyxel personal firewalls and allow for unauthenticated remote command injection on the target.
Once Chaos executes on a device, it first establishes persistence via a Registry Run key and then beacons out to its Command and Control (C2) server. The C2 server responds with initialization commands that include configuring access for the C2 server to download additional files, compromising additional devices through SSH by means of key theft or brute force, and configuring the device to allow for IP spoofing.
Once initialization has been completed, the malware awaits further instructions from the C2 server. Chaos includes a multitude of commands that can be executed by the threat actor, including the capability to download and launch a Perl-based reverse shell, initiate a DDoS attack, or install a cryptocurrency miner.
Chaos is attributed by Lumen researchers to Chinese-speaking threat actors due to its use of China-based infrastructure for C2 and also due to hard-coded presence of strings partially or fully written in Chinese characters.