Keypoints
- Chaos is a Go-based, multi-architecture malware targeting Windows and Linux (ARM, x86, MIPS, PowerPC, FreeBSD) with ~100 samples analyzed.
- Initial behavior: establish persistence, create a UDP-based mutex from the MAC, beacon to embedded C2 over TLS, and receive staging commands.
- Staging commands include fileprot, keypassword and ipspoof; these control file/port access, AES decryption keys (commonly “1234567812345678”), and IP spoofing behavior.
- Propagation methods: exploit known CVEs (e.g., CVE-2017-17215, CVE-2022-30525), steal SSH private keys (/root/.ssh/id_rsa) and brute-force SSH using downloaded password lists.
- Execution modules delivered from staging servers include architecture-specific Chaos binaries, a reverse shell (Perl), Monero miner (xmrig), and DDoS modules (ddostf and Bill Gates/Setag).
- Persistence differs by OS: Windows uses HKCUSoftwareMicrosoftWindowsCurrentVersionRun and copies to ProgramDataMicrosoftcsrss.exe; Linux copies to /etc/id.services.conf and creates /etc/32678 to loop execution.
- Chaos uses staging servers (not direct botnet C2) to host binaries for multiple architectures and employs self-signed certificates containing “Chaos” on some staging nodes.
MITRE Techniques
- [T1547.001] Registry Run Keys/Startup Folder – Used for Windows persistence: ‘creates a registry key for persistence at the following path: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun and copies itself to the file Program DataMicrosoftcsrss.exe.’
- [T1543.003] System Service Discovery/Creation – Linux persistence via service loop: ‘copies itself to the file path /etc/id.services.conf and creates a file /etc/32678 with the contents… while [ 1 ]; do sleep 60 /etc/id.services.conf; done.’
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication over TLS: ‘attempts to complete a TLS handshake with the C2. The handshake process loops until it makes contact.’
- [T1082] System Information Discovery – Host enumeration and environment checks: ‘Chaos functionality includes the ability to enumerate the host environment, run remote shell commands…’
- [T1021.004] Remote Services: SSH – Lateral movement using SSH keys and commands: ‘reads the private key from /root/.ssh/id_rsa and then parses /root/.ssh/known_hosts and /root/.bash_history for the IP address… tries to connect to the new address using the SSH key.’
- [T1110.004] Brute Force: SSH – Automated SSH credential brute forcing via downloaded password lists: ‘downloads http://IP:PORT/passwords.txt and decrypts it… The password file contains commonly used passwords used to brute force other devices exposed on the internet.’
- [T1105] Ingress Tool Transfer – Staging servers host and deliver architecture-specific binaries and scripts: ‘hosts copies of Chaos compiled for various architectures… download.sh bash script showing Chaos modules for various architectures.’
- [T1059] Command and Scripting Interpreter – Remote shell execution using included scripts: ‘The reverse shell module was an open source pearl script copied from GitHub… allows an actor to run arbitrary commands on an infected device.’
- [T1498] Network Denial of Service – DDoS capabilities and modules (ddostf, Bill Gates/Setag) used to direct volumetric and multi-vector attacks: ‘launch DDoS attacks’ and ‘we observed Chaos deploying the following DDoS modules: “ddostf” and Bill Gates/Setag.’
Indicators of Compromise
- [File paths/names] persistence and staging artifacts – ProgramDataMicrosoftcsrss.exe, /etc/id.services.conf, /etc/32678, download.sh, password.txt, cve.txt.
- [CVE identifiers] exploited vulnerabilities used for propagation – CVE-2017-17215 (Huawei), CVE-2022-30525 (Zyxel).
- [Ports] port usage and targets – example bound mutex port 32770 (derived from MAC example 08-00-2x…), and targeted DDoS port 30120.
- [Cryptocurrency wallet] miner payout identifier – Monero wallet ID 84vmv5GjgtK9hgo1Fa2fpmDykqhphzsFwcdPmodDGJPhZK3NuVdjYvhJcZfDpu1djC256zTdGM8msF2o4xxtrXm2LXwrutT.
- [TLS certificates] self-signed staging certificates with Organization=Chaos – multiple staging nodes showing “Chaos” in certificate organization field (earliest observed April 16, 2022; counts increased monthly).
Chaos infection follows a staged procedure: once a binary executes it enforces single-instance execution by binding a UDP port derived from the host MAC, then beacons to an embedded C2 over TLS reporting OS/version and architecture. The C2 issues staging commands (fileprot, keypassword, ipspoof) where keypassword supplies AES keys (commonly “1234567812345678”) to decrypt payload lists such as password.txt, download.sh and cve.txt; fileprot sets the port to retrieve those files. If instructed, the bot will download architecture-specific Chaos builds from a staging server to continue propagation.
Propagation is achieved via multiple automated methods: (1) SSH key harvesting — chaos.ssh reads /root/.ssh/id_rsa, parses known_hosts and .bash_history for addresses, and attempts key-based SSH to other hosts (verifying Linux via “uname -s”); (2) SSH brute force — chaos.sshboom downloads and decrypts passwords.txt and tries common credentials against exposed SSH services; and (3) CVE exploitation — runcve iterates IP addresses and executes exploit commands listed in cve.txt (examples include Huawei CVE-2017-17215 and Zyxel CVE-2022-30525). Successful lateral compromise triggers retrieval of the appropriate binary for the target architecture to repeat the chain.
Execution modules are delivered post-compromise: a Perl-based reverse shell used to run arbitrary commands and transfer files; a Monero miner (xmrig) configured with a specific wallet ID; and multiple DDoS modules (ddostf and Bill Gates/Setag) capable of multi-vector UDP and TCP/SYN floods. Persistence differs by platform: Windows drops itself to ProgramDataMicrosoftcsrss.exe and registers HKCUSoftwareMicrosoftWindowsCurrentVersionRun; Linux installs /etc/id.services.conf and a loop file /etc/32678. The Linux build additionally implements ipspoof by setting IP_HDRINCL and manipulating headers to vary source IPs during attacks.