Choas - A New Go-based Malware Targeting Windows and Linux Systems
Reading Time: 2 minutes

A new Go based malware dubbed as Chaos is targeting windows and linux systems, including small office/home office (SOHO) routers, and enterprise servers into its botnet.

According to researchers from Lumen’s Black Lotus Labs, “Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute-forcing SSH private keys, as well as launch DDoS attacks.” 

Many of the bots are located in Europe, specifically Italy. There were also some infections reported in China and the U.S.; collectively, there were hundreds of unique IP addresses over a one-month period.

This botnet can be used to launch DDoS attacks or contribute to cryptocurrency mining by abusing its position as a persistent malware. The malware is written in Chinese and leverages China-based infrastructure for command and control.

The development also points to a dramatic uptick in threat actors aiming to deter detection, who are using Go to evade reverse engineering.

Chaos stays true to its name as it is known to gain initial access by exploiting known security vulnerabilities, by abusing them to conduct reconnaissance and initiate lateral movement across the compromised network. It is different from the ransomware builder with the same name.

The malware has some exceptional features, such as being able to work across a range of architectures, such as  ARM, Intel (i386), MIPS, and PowerPC.  This lets it target a wider range of devices and grow rapidly in volume.

Chaos contains the ability to execute commands sent to it, including exploiting a publicly-disclosed vulnerability (CVE-2017-17215 and CVE-2022-30525) defined in a file.

Chaos is believed to be an evolution of another DDoS malware based on Kaiji, which targeted Docker instances in the past. With an analysis of over 100 samples and given that there are overlapping code, this claim seems plausible.

The GitLab servers located in Europe were attacked by the Chaos botnet in September. Hackers targeted servers with a variety of purposes, targeting crypto mining exchanges as well as others.

The findings come 3 months after a cybersecurity company exposed the new RAT named ZuoRAT that has been targeting SOHO routers as part of a sophisticated campaign directed against North America and Europe networks.

If a computer is infected with ransomware and encrypts the data on it, the person who is infected cannot access their own files. Chaos can dramatically increase the speed of an infection because there are no lines of defence or checkpoints.

Related Articles:
Cloudflare CAPTCHAs Will Be Replaced With Turnstile
PowerPoint Mouseover Trick Used by Hackers to Infect System with Malware
New NullMixer Malware Campaign Steals Users’ Payment Data and Credentials