# Chaos malware



## trutlze (Oct 4, 2022)

Hi,

I expect you already heard about the new Chaos malware[1,2], a Go-based malware that can attack multiple architectures and operating systems, including FreeBSD.

To me it's not fully clear how this could affect FreeBSD. And furthermore how to defend against it. Maybe you could help me.

It seems to come via exploitable vulnerabilities (But which? There seem to be
CVE-2017-17215[3], CVE-2022-30525[4] and CVE-2022-1388[5] ... seems not FreeBSD-specific at a first glance), over brute-forced ssh entry-points (also by using stolen ssh keys). Is this the only possible attack-way?
And advises against infections are not special: keep systems up-to-date, use strong passwords, use multi-factor-authentication. But is this all? Can you consider being safe if you follow these advises?

Kind regards,
trutlze

[1] https://arstechnica.com/information...fected-hundreds-of-linux-and-windows-devices/
[2] https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/
[3] https://nvd.nist.gov/vuln/detail/CVE-2017-17215
[4] https://nvd.nist.gov/vuln/detail/CVE-2022-30525
[5] https://nvd.nist.gov/vuln/detail/CVE-2022-1388


----------



## SirDice (Oct 4, 2022)

> Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.





> CVEs refer to the mechanism used to track specific vulnerabilities. Wednesday's report referred to only a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and CVE-2022-1388, an extremely severe vulnerability in load balancers, firewalls, and network inspection gear sold by F5. SSH infections using password brute-forcing and stolen keys also allow Chaos to spread from machine to machine inside an infected network.


So the only way to get in on a FreeBSD machine would be the SSH (bruteforce or stolen keys) route. 



trutlze said:


> And advises against infections are not special: keep systems up-to-date, use strong passwords, use multi-factor-authentication. But is this all?


Yes, it looks that way. 



trutlze said:


> Can you consider being safe if you follow these advises?


Until they start using specific FreeBSD vulnerabilities, but keeping your system up to date is always a good way to keep your systems safe. They could start using some zero-day of course, but then you wouldn't be able to stop them (definition of a zero day exploit is that it's an unknown bug, thus no patch for it).

And of course you have to keep tabs on who has access to your systems and how. But this is just standard practice, or at least it should be.


----------



## kpedersen (Oct 4, 2022)

trutlze said:


> a Go-based malware that can attack multiple architectures and operating systems, including FreeBSD.


Heh, they might want to rewrite it in C so they can attack much more


----------



## SirDice (Oct 4, 2022)

> First, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems.


I wonder how they achieved this though. It's relatively easy as long as the architecture is the same (although there could be a difference in API/ABI calling conventions [*]). Would they just use different, embedded, payloads for each different system? Granted I know next to nothing about Go. So I have no idea how it works internally. But in the end it's all code that runs on a CPU. 

[*] https://docs.freebsd.org/en/books/developers-handbook/x86/#x86-default-calling-convention


----------



## msplsh (Oct 4, 2022)

SirDice said:


> Would they just use different, embedded, payloads for each different system


The lumen blog details how different second-stage payloads get downloaded and also bootstrapping payloads for additional non-native targets.

"In one instance, we observed a FreeBSD-compiled sample hosted on a staging server that we identified as being a Bill Gates/Setag sample. We suspect the threat actor may have acquired the Bill Gates DDoS malware to leverage it specifically against FreeBSD servers, which were not otherwise covered in the Chaos codebase."

Apache Struts 2 vulnerability you'd encounter through a dependency.


----------

