Lumen Black Lotus Labs discovers an expanding, multipurpose botnet called Chaos

Research suggests criminal actor is cultivating a network of infected devices to launch Distributed Denial of Service (DDoS) attacks and crypto mining. #pressrelese

September 28, 2022

2 Min Read

DENVER – Black Lotus Labs®, the threat intelligence team at Lumen Technologies (NYSE: LUMN), has discovered a new, rapidly growing, multipurpose malware written in the Go programming language. Dubbed "Chaos" by the author, the malware was developed for Windows, Linux and a wide array of consumer devices, small office/home office (SOHO) routers and enterprise servers.

Key Findings:

  • The Chaos malware exploits known vulnerabilities and enables the actor to:

  • Scan the target system to profile it for future commands.

  • Automatically initiate lateral movement and propagation through Secure Shell (SSH) private keys that are either stolen or obtained using brute force.

  • Launch DDoS attacks and initiate crypto mining.

  • Beginning in June, analysts discovered several distinct Chaos clusters that were written in Chinese. The clusters leveraged China-based command and control (C2) infrastructure that grew rapidly in August and September.

  • The actor compromised at least one GitLab server and launched numerous DDoS attacks on organizations in the gaming, financial services and technology, media/entertainment, cryptocurrency and even DDoS-as-a-Service industries.

  • Black Lotus Labs believes this malware is not related to the Chaos ransomware builder discovered in 2021; rather, the overlapping code and functions suggest it is likely the evolution of Kaiji, a DDoS malware discovered in 2020.

Why it Matters:

The prevalence of malware written in Go has increased dramatically in recent years due to its flexibility, low antivirus detection rates and difficulty to reverse-engineer.

The Chaos malware is potent because it works across a variety of architectures, targets devices and systems (e.g., SOHO routers and FreeBDS OS) that are not routinely monitored as part of an enterprise security model, and propagates through known vulnerabilities and SSH keys that are either stolen or obtained through brute force.

Black Lotus Labs' Response:

Black Lotus Labs has null-routed Chaos C2s across the Lumen global backbone and added the IoCs from this campaign into Rapid Threat Defense® – the automated threat detection and response capability that fuels the Lumen Connected Security portfolio by blocking threats before they reach the customer's network.

The team will continue to monitor for new infrastructure, targeting activity and expanding Tactics, Techniques and Procedures (TTPs), and share this information with the security research community.

Read the full press release here.

Lumen

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.
Sign me up

You May Also Like

Latest News

Venu Sports logo
Video Streaming
The Disney-Fox-WBD streaming JV has a name: Venu Sports
The Disney-Fox-WBD streaming JV has a name: Venu Sports

May 16, 2024

VEON logo on a smartphone, in front of a laptop showing its website.
Finance
VEON revenues up in Q1 amid growing 4G and digital services user base
VEON revenues up in Q1 amid growing 4G and digital services user base

May 16, 2024

IoT Internet of Things technology with connected devices exchanging data on network
IOT
OliverIQ fine-tunes its smart home pitch for broadband operators
OliverIQ fine-tunes its smart home pitch for broadband operators

May 16, 2024

Accenture's Jefferson Wang, AT&T's Cheryl Choy, Dish Network's Eben Albertyn and T-Mobile's Ankur Kapoor.
Open RAN
Hope permeates WIA show, but 5G downturn persists
Hope permeates WIA show, but 5G downturn persists

May 16, 2024

Upcoming Webinars
More Webinars

Popular whitepapers in 5G

thumbnail
Sponsored Content
5G Orchestration and Service Assurance: 2024 Heavy Reading Survey5G Orchestration and Service Assurance: 2024 Heavy Reading Survey
Apr 26, 2024
1 Min Read
thumbnail
5G
Operator transitions to 5G SA core decline YoY in 2023 – Counterpoint ResearchOperator transitions to 5G SA core decline YoY in 2023 – Counterpoint Research
Feb 29, 2024
3 Min Read
thumbnail
5G
5G Network Strategies Operator Survey: Powering 5G SA Networks5G Network Strategies Operator Survey: Powering 5G SA Networks
Feb 23, 2024
1 Min Read
May 21 - May 23, 2024
Join us for an immersive experience where the future of North American telecom industry unfolds in 2024.
LEARN MORE

Featured Videos

Sponsored Content
Get the scale, resilience and local expertise from the team/network that go above, below and beyond.
Get the scale, resilience and local expertise from the team/network that go above, below and beyond.
Sponsored Content
Demo: Explore the Value of Multi-Vendor Interoperability in Transport Technology with OIF and Juniper
Demo: Explore the Value of Multi-Vendor Interoperability in Transport Technology with OIF and Juniper
Sponsored Content
Heavy Reading analysts get ready for Network X Americas
Heavy Reading analysts get ready for Network X Americas