What is Chaos?
Chaos malware (S0220) is a cross-platform botnet written in Go that targets both Windows and Linux systems. It spreads by exploiting known vulnerabilities and conducting SSH brute force attacks (SSH is an abbreviation for Secure Shell, a protected way to control computers remotely).
Once infected, a system is absorbed into the botnet. The malware can then receive commands from an operator to launch DDoS attacks, steal SSH keys for lateral movement, or establish a reverse shell, giving its controllers remote access to the infected machine.
How to Defend Against Chaos?
Defending against the Chaos malware requires hardening systems against its initial access methods and detecting its botnet activity.
- Use strong, unique SSH credentials and consider key-based authentication to protect against SSH brute force attacks.
- Keep all systems patched to close the known vulnerabilities that the malware actively exploits to spread.
- Deploy endpoint detection and antivirus solutions to identify and block the malware’s execution on both Windows and Linux devices.
- Use network detection (NDR) with integrated threat intelligence to spot and block C2 communications and outgoing DDoS traffic.
