Unprecedented malware has infected hundreds of Linux and Windows machines

A stylized skull and crossbones made of ones and zeros.

Researchers have uncovered an unprecedented piece of cross-platform malware that has infected a wide variety of Linux and Windows devices, including small office routers, FreeBSD boxes and large enterprise servers.

Black Lotus Labs, the research arm of security company Lumen, calls the Chaos malware, a word that appears frequently in the names of functions, certificates, and file names it uses. The chaos emerged no later than April 16, when the first batch of Control Servers were launched into the wild. From June through mid-July, researchers found hundreds of unique IP addresses representing the hacked Chaos devices. Staging servers used to infect new devices have proliferated in recent months, growing from 39 in May to 93 in August. As of Tuesday, the number had reached 111.

Black Lotus observed interactions with these staging servers from both embedded Linux machines as well as enterprise servers, including one in Europe that was hosting a GitLab instance. There are more than 100 unique specimens in the wild.

“The effectiveness of the Chaos malware stems from several factors,” Black Lotus Labs researchers wrote on Wednesday morning. Blog post. “First, it is designed to work across many architectures, including: ARM, Intel (i386), MIPS and PowerPC — as well as Windows and Linux operating systems. Second, unlike large-scale ransomware distribution networks like Emotet that take advantage of mail Indiscriminate to spread and grow, chaos spreads through known counter-violent extremism and predatory and stolen SSH keys.”

Countering violent extremism refers to the mechanism used to track specific vulnerabilities. Wednesday’s report pointed to only a few, including CVE-2017-17215 and CVE-2022-30525 that affect Huawei-selling firewalls, CVE-2022-1388, and CVE-2022-1388. Extremely weak In load balancers, firewalls, and network inspection equipment sold by F5. An SSH infection that uses password brute force and stolen keys also allows clutter to spread from one machine to another within an infected network.

Chaos also has various capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to carry out commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have prompted Black Lotus Labs to suspect chaos “is the work of a cybercriminal actor growing a network of infected devices to take advantage of initial access, DDoS attacks, and cryptocurrency,” the company researchers said.

Black Lotus Labs believes that chaos is an offshoot of Kaiji, part of the botnet software for AMD and i386 Linux-based servers to perform DDoS attacks. Since it entered Chaos, it has gained a host of new features, including new structure modules, the ability to run on Windows, and the ability to spread by exploiting vulnerabilities and collecting SSH keys.

The infected IP addresses indicate that chaos infections are highly concentrated in Europe, with smaller hotspots in North and South America and Asia Pacific.

Black Lotus Laboratories

Black Lotus Labs researchers wrote:

During the first few weeks of September, the Chaos host emulator received several DDoS commands targeting nearly two dozen enterprise domains or IP addresses. Using our global telemetry, we identified multiple DDoS attacks that coincide with the timeframe, IP address, and port of the attack commands we received. The types of attacks were generally multi-vector, taking advantage of UDP and TCP/SYN over multiple ports, often increasing in size over several days. Target entities included gaming, financial services, technology, media, entertainment and hosting. We’ve even observed attacks targeting DDoS-as-a-service providers and crypto-mining exchanges. Collectively, the targets spanned Europe, the Middle East, Africa, Asia Pacific, and North America.

A game company was targeted for a mixed UDP, TCP, and SYN attack on port 30120. From September 1 to September 5, the organization received an influx of traffic above its usual volume. The traffic breakdown for the timeframe before and during the attack period shows a flow of traffic sent to port 30120 with approximately 12,000 distinct IP addresses – although some of this traffic may be indicative of IP spoofing.

Black Lotus Laboratories

Some of the targets included DDoS providers as a service. One markets itself as the first IP compression agent and booter that provides CAPTCHA bypass and “unique” DDoS capabilities to the transport layer. In mid-August, our insight revealed a massive increase in traffic almost four times higher than the highest volume recorded over the previous 30 days. This was followed on September 1st by an even greater rise of more than six times the volume of normal traffic.

DDoS-as-a-service inbound attack size
Zoom / DDoS-as-a-service inbound attack size

Black Lotus Laboratories

The two most important things people can do to prevent clutter are to keep all routers, servers, and other devices fully updated and to use strong passwords and multi-factor authentication based on FIDO2 whenever possible. A reminder to small desktop router owners everywhere: Most router malware can’t survive a reboot. Consider restarting your device every week or so. Those using SSH should always use an encryption key for authentication.

Leave a Comment