Chaos

Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. [1]

ID: S0220
Type: MALWARE
Platforms: Linux
Version: 1.1
Created: 18 April 2018
Last Modified: 01 July 2020

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force

Chaos conducts brute force attacks against SSH services to gain initial access.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.[1]

Enterprise T1104 Multi-Stage Channels

After initial compromise, Chaos will download a second stage to establish a more permanent presence on the affected system.[1]

Enterprise T1205 Traffic Signaling

Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.[1]

References