Security researchers have revealed a never-before-seen piece of cross-platform malware that has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD computers, and large enterprise servers.
Black Lotus Labs, the research arm of security firm Lumen, calls the malware Chaos or droidjack, a word that appears repeatedly in the function names, certificates, and file names it uses. Chaos arose no later than April 16, when the first batch of C&C servers went live in-the-wild . From June through mid-July, researchers found hundreds of unique IP addresses that represent compromised Chaos devices. Test servers used to infect new devices have multiplied in recent months, from 39 in May to 93 in August. As of Tuesday, the number has reached 111.
Black Lotus has observed interactions with these staging servers from both embedded Linux appliances and enterprise servers, including one in Europe that hosted a GitLab instance. There are more than 100 unique samples in nature.
"The power of the Chaos malware stems from a few factors ," Black Lotus Labs researchers wrote in a blog post . "First, it is designed to work on multiple architectures including: ARM, Intel (i386), MIPS, and PowerPC, as well as Windows and Linux operating systems. Second, unlike large-scale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos spreads via known CVEs and stolen SSH keys by brute force . "
he CVEs mentioned in Wednesday's report include devices from Huawei ( CVE-2017-17215 ), Zyxel ( CVE-2022-30525 ), and F5 ( CVE-2022-1388 ). The latter is an extremely serious vulnerability (9.8) in load balancers, firewalls, and network inspection equipment sold by F5. SSH infections that use password brute force and stolen keys also allow Chaos to spread from one machine to another within an infected network.
Chaos also has several capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have led Black Lotus Labs to suspect that "Chaos is the work of an actor who is creating a network of infected devices to take advantage of initial access, DDoS attacks, and cryptocurrency mining" .
Black Lotus Labs believes that Chaos is an offshoot of Kaiji, a botnet for Linux-based AMD and i386 servers to perform DDoS attacks. Since its inception, Chaos has gained a host of new features, including modules for new architectures, the ability to run on Windows, and the ability to spread through vulnerability exploitation and SSH key harvesting.
Infected IP addresses indicate that Chaos infections are most concentrated in Europe, with smaller hotspots in North and South America and Asia-Pacific.
During the first few weeks of September, our Chaos host emulator received multiple DDoS commands directed at approximately two dozen domains or organization IP addresses.
The two most important things people can do to prevent Chaos infections are to keep all routers, servers, and other devices fully up to date, and to use strong passwords and FIDO2-based multi-factor authentication whenever possible.
A reminder to small office router owners everywhere: " Most router malware cannot survive a reboot . " Consider restarting your device at least once a week. Those using SSH must always use a cryptographic key for authentication.
No comments yet