Researchers have discovered a new malware called Chaos, which is able to spread across multiple architectures and operating systems, and works on multiple architectures, including ARM, Intel (i386), MIPS, and PowerPC.
Chaos is written in Go programming language, a major reason why it is easy for developers to port their software to different operating systems. Some capabilities of the malware include the provision of DDoS services, cryptocurrency mining and backdoor features.
According to Lumen researchers, the malware is an evolution of the Kaiji DDoS malware, which is based on code and function overlaps.
Chaos is designed to exploit known vulnerabilities and brute force SSH. Once executed on a system, the malware establishes persistence and communicates with its commands and control server. The server responds with one or more staging commands that serve different purposes before possibly receiving additional commands or modules.
Communication to the C2 takes place via a UDP port, which is determined by the MAC address of the device. As soon as a successful connection is established, the C2 sends staging commands, including automatic propagation, a new port for accessing additional files on the C2 server, spoofing IP addresses on Linux systems and exploiting known vulnerabilities.
After the first communication with the C2 server, the malware receives sporadic additional commands. The commands include the execution of propagation by exploiting predefined vulnerabilities on target ranges, launching DDoS attacks or initiating crypto mining.
The malware can provide a reverse shell to the attacker who can then execute further commands on infected systems.
To protect organizations from this threat, it is important that organizations update and patch all operating systems, devices, and software. They are also advised to deploy security tools such as endpoint detection and response to detect the malware before it is launched and take steps to contain it.
The sources for this piece include an article in TechRepublic.