Info Image

Lumen Black Lotus Labs Discovers New Rapidly Growing Multipurpose Botnet called Chaos

Lumen Black Lotus Labs Discovers New Rapidly Growing Multipurpose Botnet called Chaos Image Credit: Black Lotus Labs

Black Lotus Labs®, the threat intelligence team at Lumen Technologies has discovered a new, rapidly growing, multipurpose malware written in the Go programming language. 

Dubbed "Chaos" by the author, the malware was developed for Windows, Linux, and a wide array of consumer devices, small office/home office (SOHO) routers and enterprise servers.

Key Findings:

- The Chaos malware exploits known vulnerabilities and enables the actor to:

   - Scan the target system to profile it for future commands.

   - Automatically initiate lateral movement and propagation through Secure Shell (SSH) private keys that are either stolen or obtained using brute force.

   - Launch DDoS attacks and initiate crypto mining.

 - Beginning in June, analysts discovered several distinct Chaos clusters that were written in Chinese. The clusters leveraged China-based command and control (C2) infrastructure that grew rapidly in August and September.

 - The actor compromised at least one GitLab server and launched numerous DDoS attacks on organizations in the gaming, financial services and technology, media/entertainment, cryptocurrency, and even DDoS-as-a-Service industries.

 - Black Lotus Labs believes this malware is not related to the Chaos ransomware builder discovered in 2021; rather, the overlapping code and functions suggest it is likely the evolution of Kaiji, a DDoS malware discovered in 2020.

Why it Matters:

- The prevalence of malware written in Go has increased dramatically in recent years due to its flexibility, low antivirus detection rates and difficulty to reverse-engineer. - The Chaos malware is potent because it works across a variety of architectures, targets devices and systems (e.g., SOHO routers and FreeBDS OS) that are not routinely monitored as part of an enterprise security model, and propagates through known vulnerabilities and SSH keys that are either stolen or obtained through brute force.

Black Lotus Labs' Response:

- Black Lotus Labs has null-routed Chaos C2s across the Lumen global backbone and added the IoCs from this campaign into Rapid Threat Defense® – the automated threat detection and response capability that fuels the Lumen Connected Security portfolio by blocking threats before they reach the customer's network. - The team will continue to monitor for new infrastructure, targeting activity, and expanding Tactics, Techniques and Procedures (TTPs), and share this information with the security research community.

Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs
We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating. Chaos poses a threat to a variety of consumer and enterprise devices and hosts. We strongly recommend organizations bolster their security postures by deploying services like Secure Access Service Edge (SASE) and DDoS mitigation.

Author

Ray is a news editor at The Fast Mode, bringing with him more than 10 years of experience in the wireless industry.

For tips and feedback, email Ray at ray.sharma(at)thefastmode.com, or reach him on LinkedIn @raysharma10, Facebook @1RaySharma

PREVIOUS POST

A1 Telekom Austria Partners with Amdocs to Modernize its Digital Business Systems in Bulgaria

NEXT POST

Dell, Wind River to Support Telco Cloud Deployments for vRAN & Open RAN