Skip to content

S0220 Chaos

Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. 1

Item Value
ID S0220
Associated Names
Type MALWARE
Version 1.1
Created 18 April 2018
Last Modified 01 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1110 Brute Force Chaos conducts brute force attacks against SSH services to gain initial access.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.1
enterprise T1104 Multi-Stage Channels After initial compromise, Chaos will download a second stage to establish a more permanent presence on the affected system.1
enterprise T1205 Traffic Signaling Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.1

References