Daniel Roberson - chaos-lang2023

Daniel Roberson

chaos-lang2023

2024-10-03

Chaos Malware Quietly Evolves Persistence and Evasion Techniques

by Nicholas Lang

March 17, 2023

Sysdig

https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/

Remark
Chaos malware
ransomware
DDoS
China
Kaiji malware
Golang
malware
multiplatform malware
Windows
Linux
honeypot
Apache Tomcat
Lumen Black Lotus Labs
persistence
IoCs
botnet
IoT
SSH brute forcing
cross compiler
containerization
traditional persistence may not work in containerized environments
malware surviving a reboot
fuzzy hashing
ssdeep
cron persistence
/etc/id.services.conf and /etc/32678 – copies of Chaos
cron -f – runs cron in foreground rather than background
cron
crontab
replaces /usr/bin/find, /usr/bin/dir, /usr/bin/ls, /usr/bin/ps
gateway.sh in etc/profile.d
find command
sed
shell
shell function
shell function as userland rootkit (function find)
/etc/profile.d/bash_config.sh – runs /etc/profile.d/bash_config
ELF
libdlrpcld.so
/.img
systemd service
systemd
.service file (systemd)
daemon
boot scripts
init
etc/init.d
PID 1
/etc/init.d/linux_kill executes /boot/System.img.config
entropy
obfuscation
initial access

IoCs

IP Address
98.159.98[.]203
107.189.7[.]51

Filename	MD5
Attack 1
linux_386	14be5f004bc5e7a33c3057df92ad9a16
bash_config	14be5f004bc5e7a33c3057df92ad9a16
find	14be5f004bc5e7a33c3057df92ad9a16
dir	14be5f004bc5e7a33c3057df92ad9a16
id.services.conf	14be5f004bc5e7a33c3057df92ad9a16
ls	14be5f004bc5e7a33c3057df92ad9a16
System.img.confg	14be5f004bc5e7a33c3057df92ad9a16
ps	14be5f004bc5e7a33c3057df92ad9a16
system-monitor	14be5f004bc5e7a33c3057df92ad9a16
libdlrpcld.so	14be5f004bc5e7a33c3057df92ad9a16
32678	768eaf287796da19e1cf5e0b2fb1b161
bash_config.sh	cfb4e51061485fe91169381fbdc1538e
crontab	360878ce5edb3684950ebb0c138298f8
linux.service	d80ccc7ced99538f22336f2ec0249087
linux_kill	3909975f7cc0d1121c1819b800069f31
.img	d73d3376908ea075a939e3871ad0fabe
Attack 2
32676	47684525bfdf26f49fd1cf742b17c015
bash_cfg	0db80699dcdf8372e0f813eaea8b5782
bash_cfg.sh	3e32bcdce50da6c05127094b32e5401a
cron	0e0a4a7372459b9c2d8f45baa40a64b3
crontab	a60806d9e03c42cd3bd740cbfb6d4375
dir	079b45463b8b7f66d9ec2c24b2853fbe
find	b68ef002f84cc54dd472238ba7df80ab
gateway.sh	b10f8b371ee7559987c4b29a4ac85e42
hashes.txt	d12d6a5241cf180734dbe0b928c97798
hwclock.sh	40e4f04e723fb5bee6df2327ea35254d
libgdi.so.0.8.1	0db80699dcdf8372e0f813eaea8b5782
linux_386	0db80699dcdf8372e0f813eaea8b5782
ls	0db80699dcdf8372e0f813eaea8b5782
opt.services.cfg	0db80699dcdf8372e0f813eaea8b5782
procps	bea2bdfd5f7688d4f6e313dc63ca499d
ps	0db80699dcdf8372e0f813eaea8b5782
quotaoff.service	b02de6cd28cd922b18d9d93375a70d8b
system-mark	0db80699dcdf8372e0f813eaea8b5782
System.mod	0db80699dcdf8372e0f813eaea8b5782

Links to this note

Notes

Recent Posts

Linux Persistence: Modular Software

2025-04-17 DFIR CTF persistence linux persistence apache asterisk

Linux Persistence: Web Shells

2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP

Linux Persistence: Rootkits

2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit