Lumen’s Black Lotus Labs blogs about discovering a new rapidly growing, multipurpose malware written in the Go programming language. Dubbed “Chaos” by the author, the malware was developed for Windows, Linux, and a wide array of consumer devices, small office/home office (SOHO) routers and enterprise servers.
“We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating,” said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. “Chaos poses a threat to a variety of consumer and enterprise devices and hosts. We strongly recommend organizations bolster their security postures by deploying services like Secure Access Service Edge (SASE) and DDoS mitigation.”
Key Findings:
- The Chaos malware exploits known vulnerabilities and enables the actor to:
- Scan the target system to profile it for future commands.
- Automatically initiate lateral movement and propagation through Secure Shell (SSH) private keys that are either stolen or obtained using brute force.
- Launch DDoS attacks and initiate crypto mining.
- Beginning in June, analysts discovered several distinct Chaos clusters that were written in Chinese. The clusters leveraged China-based command and control (C2) infrastructure that grew rapidly in August and September.
- The actor compromised at least one GitLab server and launched numerous DDoS attacks on organizations in the gaming, financial services and technology, media/entertainment, cryptocurrency, and even DDoS-as-a-Service industries.
- Black Lotus Labs believes this malware is … likely the evolution of Kaiji, a DDoS malware discovered in 2020.
As a part of Lumen technologies, Black Lotus Labs has unique insight and access into network traffic that most other research groups do not have. The trend of writing malware in Go (and other non-traditional languages) is increasing as features of the language allow its use across multiple platforms. In many cases, AV software struggles to detect malware written in Go, and with fewer practitioners, reverse-engineering and analysis is not as common.
In this case, the malware is extremely adaptive and difficult to find. It is successful against IoT devices, home routers, and major platforms like MS and Linux machines. “Chaos” is an example of an Overlay Attack, where the actor is able to create their own network over compromised machines. This essentially creates a private cloud net for bad guys from which they can carry out any number of attacks, steal resources, launch DDoS, and make attribution that much more difficult.