Cybersecurity researchers have discovered a new malware strain that infects Windows and Linux endpoints of all sizes and uses them for distributed denial of service (DDoS) attacks and cryptocurrency mining.
Experts from Lumen's Black Lotus Labs say the malware is written in Chinese and uses China-based command & control (C2) infrastructure.
They called it Chaos, and say it is built on Go. It is able to infect all kinds of devices, from those running on x86 infrastructure, to certain ARM-based devices. In a nutshell, everything from home routers to enterprise servers is at risk. Apparently, Chaos is the next iteration of the Kaiji malware, another strain that was able to mine cryptocurrencies and launch DDoS attacks.
“Based upon our analysis of the functions within the more than 100 samples we analyzed for this report, we assess Chaos is the next iteration of the Kaiji botnet,” they said. It expands by looking for known, unpatched vulnerabilities, as well as SSH brute-force attacks.
What’s more, it can use stolen SSH keys to infect an even greater number of endpoints.
Whoever the threat actors are, they’re not limiting themselves to a specific industry, though: “Using Lumen global network visibility, Black Lotus Labs enumerated the C2s and targets of several distinct Chaos clusters, including a successful compromise of a GitLab server and a spate of recent DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries – as well as DDoS-as-a-service providers and a cryptocurrency exchange,” the researchers said.
“While the botnet infrastructure today is comparatively smaller than some of the leading DDoS malware families, Chaos has demonstrated rapid growth in the last few months.”
When it comes to geographies, though, Chaos does seem to have a preference. Even though there are bots everywhere, from the Americas, to the Asia-Pacific region (APAC), most of its victims are based in Europe.
- Check out the best firewalls right now