Chaos Malware Quietly Evolves Persistence and Evasion Techniques
by Nicholas Lang
March 17, 2023
Sysdig
https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/
| Remark |
|---|
| Chaos malware |
| ransomware |
| DDoS |
| China |
| Kaiji malware |
| Golang |
| malware |
| multiplatform malware |
| Windows |
| Linux |
| honeypot |
| Apache Tomcat |
| Lumen Black Lotus Labs |
| persistence |
| IoCs |
| botnet |
| IoT |
| SSH brute forcing |
| cross compiler |
| containerization |
| traditional persistence may not work in containerized environments |
| malware surviving a reboot |
| fuzzy hashing |
| ssdeep |
| cron persistence |
| /etc/id.services.conf and /etc/32678 – copies of Chaos |
| cron -f – runs cron in foreground rather than background |
| cron |
| crontab |
| replaces /usr/bin/find, /usr/bin/dir, /usr/bin/ls, /usr/bin/ps |
| gateway.sh in etc/profile.d |
| find command |
| sed |
| shell |
| shell function |
| shell function as userland rootkit (function find) |
| /etc/profile.d/bash_config.sh – runs /etc/profile.d/bash_config |
| ELF |
| libdlrpcld.so |
| /.img |
| systemd service |
| systemd |
| .service file (systemd) |
| daemon |
| boot scripts |
| init |
| etc/init.d |
| PID 1 |
| /etc/init.d/linux_kill executes /boot/System.img.config |
| entropy |
| obfuscation |
| initial access |
IoCs
| IP Address |
|---|
| 98.159.98[.]203 |
| 107.189.7[.]51 |
| Filename | MD5 |
|---|---|
| Attack 1 | |
| linux_386 | 14be5f004bc5e7a33c3057df92ad9a16 |
| bash_config | 14be5f004bc5e7a33c3057df92ad9a16 |
| find | 14be5f004bc5e7a33c3057df92ad9a16 |
| dir | 14be5f004bc5e7a33c3057df92ad9a16 |
| id.services.conf | 14be5f004bc5e7a33c3057df92ad9a16 |
| ls | 14be5f004bc5e7a33c3057df92ad9a16 |
| System.img.confg | 14be5f004bc5e7a33c3057df92ad9a16 |
| ps | 14be5f004bc5e7a33c3057df92ad9a16 |
| system-monitor | 14be5f004bc5e7a33c3057df92ad9a16 |
| libdlrpcld.so | 14be5f004bc5e7a33c3057df92ad9a16 |
| 32678 | 768eaf287796da19e1cf5e0b2fb1b161 |
| bash_config.sh | cfb4e51061485fe91169381fbdc1538e |
| crontab | 360878ce5edb3684950ebb0c138298f8 |
| linux.service | d80ccc7ced99538f22336f2ec0249087 |
| linux_kill | 3909975f7cc0d1121c1819b800069f31 |
| .img | d73d3376908ea075a939e3871ad0fabe |
| Attack 2 | |
| 32676 | 47684525bfdf26f49fd1cf742b17c015 |
| bash_cfg | 0db80699dcdf8372e0f813eaea8b5782 |
| bash_cfg.sh | 3e32bcdce50da6c05127094b32e5401a |
| cron | 0e0a4a7372459b9c2d8f45baa40a64b3 |
| crontab | a60806d9e03c42cd3bd740cbfb6d4375 |
| dir | 079b45463b8b7f66d9ec2c24b2853fbe |
| find | b68ef002f84cc54dd472238ba7df80ab |
| gateway.sh | b10f8b371ee7559987c4b29a4ac85e42 |
| hashes.txt | d12d6a5241cf180734dbe0b928c97798 |
| hwclock.sh | 40e4f04e723fb5bee6df2327ea35254d |
| libgdi.so.0.8.1 | 0db80699dcdf8372e0f813eaea8b5782 |
| linux_386 | 0db80699dcdf8372e0f813eaea8b5782 |
| ls | 0db80699dcdf8372e0f813eaea8b5782 |
| opt.services.cfg | 0db80699dcdf8372e0f813eaea8b5782 |
| procps | bea2bdfd5f7688d4f6e313dc63ca499d |
| ps | 0db80699dcdf8372e0f813eaea8b5782 |
| quotaoff.service | b02de6cd28cd922b18d9d93375a70d8b |
| system-mark | 0db80699dcdf8372e0f813eaea8b5782 |
| System.mod | 0db80699dcdf8372e0f813eaea8b5782 |