Ars Technica reports the attack was disclosed by Montreal-based security group GeoSecure this week. Known as Chaos, the malware attack begins by correctly brute forcing the passwords for SSH services running on a target machine. SSH is a protocol which enables administrators to remotely interact with a system over the Internet, so a successful exploit could give an attacker devastating powers.
Ordinarily, the network ports and sockets used for these connections are protected by firewalls that prevent backdoors being exploited. The Chaos attack avoids this restriction by deploying its own unspecialised “raw” socket, allowing it to listen in on the network activity of the target machine. After it’s been successfully installed, the malware authors can take control of the server using a reverse shell.
Chaos’ backdoor is protected by an encrypted password. To activate the backdoor, the attacker first sends the correct password to the machine. The researchers were able to decrypt the password after discovering it’s embedded inside the malware’s source and has poor protection. This means that anyone who obtains the code for Chaos can extract the password and remotely access Linux servers infected with the malware.
READ NEXT: Facebook’s Onavo VPN service branded “spyware” for tracking users
According to the researchers, Chaos is designed to give malicious actors persistent access to machines they can use for criminal activities. The infected servers could be directed to conduct cyberattacks or extract sensitive data from networks. This makes the choice of weak password more incongruous, since the servers could now be tampered with by other actors who obtain the malware.
“The Chaos backdoor is pretty interesting as it uses a stealthy raw socket to spawn a reverse-shell with full network encryption and integrity checks. However, the backdoor’s encryption can easily be broken if the pre-shared key is known, as it is transmitted in plain text,” said the researchers. “[Attackers] would use the infected machine as a proxy to conduct further criminal actions. This enables them to potentially cross network boundaries in the process.”
Around 100 machines are been impacted by Chaos, including virtual servers running on infrastructure from major providers such as Rackspace, Digital Ocean and Linode. The majority of machines appear to be running in production environments at businesses, so there’s scope for the malware controllers to be obtaining valuable data. The find has been reported to the Canadian Cyber Incident Response Center to coordinate an effort to disinfect the servers.
