Researchers Discover Chaos, a Golang Multipurpose Botnet

A new multifunctional malware written in the Go programming language has been spotted in the wild, targeting both Windows and Linux systems.

The discovery has been made by Black Lotus Labs, the threat intelligence team at Lumen Technologies, who published an advisory about the new threat on Wednesday.

The team reportedly discovered and analyzed roughly 100 samples of the malware, named Chaos by the threat actor, which was written in Chinese and seemed China–based due to its command and control (C2) infrastructure.

According to the advisory, Chaos offers several features, including the ability to enumerate the host environment and run remote shell commands. It can also load additional modules, automatically propagate through stealing and brute forcing Secure Shell (SSH) private keys, and launch DDoS attacks.

“We are seeing a complex malware that has quadrupled in size in just two months, and it is well–positioned to continue accelerating,” explained Mark Dehus, director of threat intelligence at Black Lotus Labs. 

The company also said it witnessed a successful compromise of a GitLab server by Chaos, alongside several DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries. Chaos would have also targeted DDoS–as–a–service providers and a cryptocurrency exchange. 

“Chaos poses a threat to a variety of consumer and enterprise devices and hosts,” Dehus added. “We strongly recommend organizations bolster their security postures by deploying services like DDoS mitigation.”

In particular, the executive recommended network administrators  patch systems regularly and use the IoCs (indicators of compromise) outlined in the Black Lotus Labs report to monitor for infection or connections to suspicious infrastructure.

“Consumers and remote workers should enable automatic software updates, and regularly update passwords and reboot hardware.”

More generally, Dehus highlighted how the preponderance of malware written in Go had increased substantially in recent years due to its flexibility, low antivirus detection rates and difficulty in reverse–engineering software tools based on it.

While the trend has also been confirmed by the Securonix Threat and Trend Micro research teams in two separate advisories in August, others are suggesting some actors, including BlackCat, are now moving to Rust.