Cybersecurity researchers have discovered a new strain of malware that infects Windows and Linux endpoints (opens in a new tab) of all sizes and uses them for distributed denial of service (DDoS) attacks and cryptocurrency mining.
Lumen’s Black Lotus Labs experts say the malware is written in Chinese and uses a Chinese command and control (C2) infrastructure.
They called it Chaos and say it is built on Go. It is able to infect all kinds of devices, from those running on an x86 infrastructure to some ARM-based devices. In short, everything from home routers to enterprise servers is at risk. Apparently, Chaos is another iteration of Kaiji malware, another strain that has been able to mine cryptocurrencies and carry out DDoS attacks.
Kaiji returns
“Based on our analysis of the functions in the more than 100 samples we analyzed for this report, we judge Chaos to be the next iteration of the Kaiji botnet,” they said. It thrives by looking for known unpatched vulnerabilities as well as brute-force SSH attacks.
Moreover, it can use stolen SSH keys to infect even more endpoints.
Whoever the threat actors are, they are not limited to a specific industry: “Taking advantage of the global visibility of the Lumen network, Black Lotus Labs has enumerated C2 and the goals of several different Chaos clusters, including the successful compromise between the GitLab server and the avalanche of recent DDoS attacks targeting the gaming, services and finance and technology, and the media and entertainment industries – as well as DDoS-as-a-service providers and a cryptocurrency exchange, ”the researchers said.
“Although the current botnet infrastructure is relatively smaller than some of the leading DDoS malware families, Chaos has shown rapid growth over the past few months.”
However, when it comes to geography, Chaos seems to have preferences. Even though bots are everywhere, from the Americas to the Asia-Pacific (APAC) region, most of their victims live in Europe.
By: Hissing computer (opens in a new tab)