PSA: Improperly Secured Linux Servers Targeted with Chaos Backdoor (RCE capabilities)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Hackers are using SSH brute-force attacks to take over Linux systems secured with weak passwords and are deploying a backdoor named Chaos.

Attacks with this malware have been spotted since June, last year. They have been recently documented and broken down in a GoSecure report.

Chaos rooted in 2013 sebd rootkit
According to GoSecure experts, the backdoor isn't actually new and was one of the components of the "sebd" Linux rootkit that saw limited use in 2013 and was later dumped as a free download on HackForums.

It now appears that someone extracted the backdoor from the sebd rootkit source code, has renamed it to "Chaos," and is now using it as the first-stage payload in attacks on Linux servers.
..
.....
..
.....
Click to expand...

Chaos uses clever trick to avoid firewalls
The only thing that stands out as interesting in Chaos' modus operandi is the fact that it opens a raw socket on port 8338 on which it listens to commands.

"Any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes," GoSecure experts say. "However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service."

Besides allowing Chaos to run without disturbing services already running on that port, this raw sockets trick also ensures that the backdoor's process doesn't appear when server admins run basic netstat -w checks.

"Because Chaos doesn’t come alone but with at least one IRC Bot that has remote code execution capabilities, we advise infected hosts to be fully reinstalled from a trusted backup with a fresh set of credentials," GoSecure advises.
Click to expand...
 
  • Like
Reactions: Transhumana, Deleted member 65228, Daviworld and 1 other person
F

ForgottenSeer 58943

Raw Socket over non-standard port is a 'Clever' trick? Hardly. Any competent UTM/NGFW may block raw sockets, but more importantly would fully block standard protocol data over non-standard ports. This is networking 101 stuff and nothing particular clever. Try putting DNS over Port 54 and see how badly a UTM complains. Try putting standard web traffic over port 22 and see what happens. Or even try SSH over 443, let me know how that goes. UTM/NGFW, good firewalls are trained to recognize standard traffic over non-standard ports, or non-standard traffic over standard ports.

The NOVEL APPROACH here is they are piggybacking this over legitimately opened ports and services. This is also done by intelligence hackers, so I am wondering if this contains some code leaks from CIA/NSA tools? Also, I am wondering if they factored malformed packets on those standard, in-use opened ports, which may also be picked up by some UTM/NGFW devices or SIEMs.

Either way, the most alarming thing would be this has reached the level of 'normalcy'? Game changer.
 
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Researchers smell a cryptomining Chaos RAT targeting Linux systems
Replies
0
Views
709
News Archive
silversurfer
silversurfer
upnorth
    • Like
    • +Reputation
    • Wow
Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules
Replies
0
Views
717
News Archive
upnorth
upnorth
[correlate]
    • Like
Security News Warning: Poorly Secured Linux SSH Servers Under Attack for Cryptocurrency Mining
Replies
0
Views
923
Security News
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top