New Kaiji Modular Malware Variant "Chaos" Targets Europe

Description

FortiGuard Labs is aware of a new variant of modular malware "Kaiji" targeting Windows and Linux machines and devices belonging to both consumers and enterprises in Europe. Dubbed "Chaos", the malware connects to command and control (C2) servers and performs various activities including launching Distributed Denial of Service (DDoS) attacks and mining crypto currencies.


Why is this Significant?

This is significant because the Chaos malware targets both consumers and enterprises in Europe by exploiting various vulnerabilities. Infected machines will join a botnet which are then used for malicious activities such as DDoS attacks and cryptocurrency mining.


What is Chaos Malware?

Chaos is a Go-based modular malware for Windows and Linux and is allegedly an updated version of Kaiji malware. Chaos malware connects to C2 servers and receives remote commands as well as modules for additional functionality. According to security vendor Black Lotus Labs, Chaos is primarily used for DDoS attacks and cryptocurrency mining. It is also designed to spread to other systems through SSH and exploitation of various vulnerabilities.


It is important to note that ransomware with a similar name exists (Chaos ransomware), but they are completely unrelated.


What Vulnerabilities Does Chaos Exploit for Propagation?

The following vulnerabilities were exploited by Chaos malware according to Black Lotus Labs:


  • Command Execution vulnerability in Huawei HG532 Router (CVE-2017-17215)
  • Command Injection Vulnerability in Zyxel firewalls (CVE-2022-30525)


Note - that since Chaos is a modular malware and receives remote commands, it may exploit other vulnerabilities including Authentication Bypass Vulnerability in F5 BIG-IP (CVE-2022-1388).


Have Vendors Released Patches for CVE-2017-17215, CVE-2022-30525 and CVE-2022-1388?

Patches are available for CVE-2022-30525 and CVE-2022-1388. We are currently unaware of any vendor supplied patches for CVE-2017-17215.


What is the Status of Protection?

FortiGuard Labs will detect Chaos DDoS malware with the following AV signatures:


  • Linux/Kaiji.C!tr
  • W32/Ransom_Foreign.R002C0WG222
  • W32/PossibleThreat


FortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Chaos malware:


  • Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)
  • ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)
  • F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388)