New ‘Chaos’ DDoS malware hits Linux and Windows devices


Researchers from Black Lotus Labs, the research unit of security firm Lumen Technologies, have identified new cross-platform malware. Dubbed Chaos by researchers, this malware has infected numerous Windows and Linux devices, including corporate servers, FreeBSD boxes, and small business routers.

Researchers have discovered “chaos”

Lumen researchers dubbed the malware Chaos because this word appears repeatedly in filenames, function names, and certificates used by the malware. The malware is written in Chinese and uses a command and control infrastructure based in China.

The malware was first detected on April 16 after its first control server cluster went live. Between June and mid-July, hundreds of unique IP addresses were detected representing Chaos-infected devices.

In recent months, the infection rate has escalated, with the number of compromised devices rising from 39 in May to 93 in August and 111 in September. They analyzed around 100 Chaos malware samples.

Chaos – a multifunctional malware

Black Lotus Labs researchers wrote that Chaos is a Go-based multifunctional malware that targets devices based on multiple platforms such as Windows and Linux.

In their report, the researchers noted that the malware’s potency is due to several factors, such as its ability to run on multiple architectures, including MIPS, ARM, PowerPC, and Intel (i386), in addition to its effects on both. Operating systems. This malware supports 70 different commands.

“Chaos functionality includes the ability to enumerate the host environment, execute remote shell commands, load additional modules, auto-spread by stealing and brute-forcing SSH private keys, as well as launch attacks DDoS.”

Black Lotus Laboratories

Comparison of Chaos and Kaiji IoT malware

Additionally, Chaos malware is different from ransomware-delivering botnets such as Emotet, which use spam to distribute as it spreads through brute force, CVEs, and stolen SSH keys.

The researchers further observed that Chaos’ code base and functional overlap make it similar to the Kaiji IoT malware known to compromise Linux devices for DDoS attacks.

After listing the Chaos malware’s C2 servers and several clusters, the researchers identified that some were used in recent DDoS attacks against companies in the technology, financial services, gaming, entertainment and media industries.

The researchers concluded that although the botnet infrastructure is relatively small compared to some mainstream DDoS malware families, Chaos is growing rapidly. They further added that given its design and novelty, it resembles the work of a “cybercriminal actor who cultivates a network of infected devices to exploit for initial access, DDoS attacks, and crypto mining.” “.


Most of the bots are located in Europe, particularly Italy, but infections have also been seen in Asia-Pacific, South America and North America. In some samples, researchers noticed attackers exploiting vulnerabilities CVE-2017-17215 and CVE-2022-30525, which affected Zyxel and Huawei devices.

  1. Old Crypto Malware Hits Windows and Linux Devices
  2. Sysrv-k botnet hits Windows and Linux with Cryptominer
  3. SysJoker backdoor hits Windows, macOS and Linux devices
  4. Crypto ElectroRat malware hits macOS, Windows and Linux devices
  5. Audible cues can be used to crash Windows, Linux and hard drives

Source link