Chaos Is A Go-Based Swiss Army Knife Of Malware
by Black Lotus Labs
Lumen
September 28, 2022
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/
| Remark |
|---|
| Chaos malware |
| swiss army knife |
| malware |
| Black Lotus Labs |
| Lumen |
| Golang |
| antivirus |
| reverse engineering |
| challenges of reverse engineering Golang binaries |
| threat intelligence |
| multiplatform malware |
| SOHO |
| routers |
| China |
| command and control |
| DDoS |
| gaming, financial, technology, media, entertainment |
| DDoS as a Service |
| as a Service |
| GitLab |
| cybercrime |
| cryptocurrency mining |
| code overlap as attribution |
| self-signed x.509 certificates |
| chaos ransomware https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html |
| malware campaign |
| CVE |
| brute force |
| Emotet |
| MIPS |
| i386 |
| PowerPC |
| Windows |
| Linux |
| Kaiji malware |
| stolen SSH keys |
| persistence |
| SSH |
| malware propagation |
| Chaos discovered by analyzing samples from public malware repositories |
| initial access |
| mutex |
| UDP |
| MAC address |
| obfuscation |
| bind on a port as a mutex |
| malware using mutexes |
| base64 |
| beacon |
| runkey persistence |
| registry key |
| TLS handshake |
| typos in malware |
| gathering information about the host |
| staging commands: fileprot, keypassword, ipspoof |
| AES |
| password: 1234567812345678 |
| known_hosts |
| id_rsa |
| chaos.ssh |
| chaos.sshboom |
| private key |
| SSH key |
| uname command |
| uname -s |
| CVE-2017-17215 |
| Zyxel |
| Huawei |
| CVE-2022-30525 |
| firewall |
| unauthenticated remote command execution |
| exploit |
| Perl script |
| GitHub |
| reverse shell |
| cryptocurrency miner |
| malware capabilities: file upload, file download, run command |
| bash |
| xmrig |
| Monero |
| cryptocurrency wallet 84vmv5GjgtK9hgo1Fa2fpmDykqhphzsFwcdPmodDGJPhZK3NuVdjYvhJcZfDpu1djC256zTdGM8msF2o4xxtrXm2LXwrutT |
| ddostf https://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html |
| Bill Gates/Setag https://www.trendmicro.com/en_us/research/19/g/multistage-attack-delivers-billgates-setag-backdoor-can-turn-elasticsearch-databases-into-ddos-botnet-zombies.html |
| MalwareMustDie |
| threat actor |
| FreeBSD |
| persistence |
| ipspoof |
| IP_HDRINCL |
| socket option |
| Europe |
| South America |
| North America |
| Asia Pacific |
| Australia |
| New Zealand |
| self-signed certificate |
| organization name: Chaos |
| heatmap |
| embedded device |
| https://github.com/blacklotuslabs/IOCs/blob/main/Chaos_IoCs.txt |
| recommendation: patch – chaos exploits known vulns to gain initial access |
| recommendation: monitor for IoCs – domains, IP addresses, hashes, … |
| recommendation: reboot devices periodically |
| recommendation: use EDR |
| recommendation: change default passwords |
| recommendation: disable ssh root user access |
| recommendation: keep AV/EDR software and signatures up to date |
| recommendation: apply safeguards to cryptography keys and only store on systems that need them |