Lumen’s Black Lotus Labs blogs about discovering a new rapidly growing, multipurpose malware written in the Go programming language. Dubbed “Chaos” by the author, the malware was developed for Windows, Linux, and a wide array of consumer devices, small office/home office (SOHO) routers and enterprise servers.
“We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating,” said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. “Chaos poses a threat to a variety of consumer and enterprise devices and hosts. We strongly recommend organizations bolster their security postures by deploying services like Secure Access Service Edge (SASE) and DDoS mitigation.”
- The Chaos malware exploits known vulnerabilities and enables the actor to:
- Scan the target system to profile it for future commands.
- Automatically initiate lateral movement and propagation through Secure Shell (SSH) private keys that are either stolen or obtained using brute force.
- Launch DDoS attacks and initiate crypto mining.
- Beginning in June, analysts discovered several distinct Chaos clusters that were written in Chinese. The clusters leveraged China-based command and control (C2) infrastructure that grew rapidly in August and September.
- The actor compromised at least one GitLab server and launched numerous DDoS attacks on organizations in the gaming, financial services and technology, media/entertainment, cryptocurrency, and even DDoS-as-a-Service industries.
- Black Lotus Labs believes this malware is … likely the evolution of Kaiji, a DDoS malware discovered in 2020.