Chaos

Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. ^[1]

ID: S0220

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux

Version: 1.1

Created: 18 April 2018

Last Modified: 01 July 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1110		Brute Force	Chaos conducts brute force attacks against SSH services to gain initial access.^[1]
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.^[1]
Enterprise	T1104		Multi-Stage Channels	After initial compromise, Chaos will download a second stage to establish a more permanent presence on the affected system.^[1]
Enterprise	T1205		Traffic Signaling	Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.^[1]

References

Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.

Chaos

Enterprise Layer

Techniques Used

References