Chalubo is a new botnet which is targeting poorly-secured Internet of Things (IoT) devices and servers for the purpose of distributed denial-of-service (DDoS) attacks.
Researchers from cybersecurity firm Sophos said this week that the botnet is becoming “increasingly prolific” and is ramping up efforts to target Internet-facing SSH servers on Linux-based systems alongside IoT products.
The main Chalubo bot is not only adopting obfuscation techniques more commonly found in Windows-based malware but is also using code from Xor.DDoS and Mirai, the latter of which was responsible for taking down Internet services across the US and Europe three years ago.
Chalubo contains a downloader, the main bot — which runs on systems with an x86 processor architecture, and a Lua command script. The downloader is the Elknot dropper, which has previously been linked to the Elasticsearch botnet.
Different versions of the bot have been uncovered by the researchers which operate on other processors — such as 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC — which the team suggests “may indicate the end of a testing period.”
Attacks began in late August, and one assault registered at a Sophos honeypot on September 6 gave the firm an insight into the new bot’s capabilities.
Chalubo attempted to brute-force attack and secure the credentials of the honeypot, and while the attackers believed they were able to gain a shell through root admin, the researchers silently recorded how they used commands to ‘stop’ firewall protections and install malicious components.
The main bot component and the corresponding Lua command script are encrypted using the ChaCha stream cipher, and when the attack against the honeypot was launched, one particular command — libsdes — stood out.
Upon execution, libsdes creates an empty file to prevent the malware accidentally executing more than once. The botnet then attempts to copy itself with a random string of letters and numbers in /usr/bin/, forking itself to create multiple points of persistence to survive a reboot.
A script is then dropped and executed for additional persistence, which Sophos says is close to a carbon copy of how the Xor.DDoS family operates.
“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks,” Sophos says. “Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware.”
The bot itself contains snippets of Mirai but the majority of the code is new. The Lua command script communicates with the botnet’s command-and-control (C2) server and will download, decrypt, and execute any additional script it finds.
The sample of Lua Sophos obtained was designed to prompt the bot to perform an SYN flood attack, a kind of DoS which sends SYN packets at high packet rates in an attempt to overwhelm a system.
In this case, a single Chinese IP address was targeted.
Sophos expects that as the botnet appears to be reaching the end of a testing phase, we may expect more widespread attacks from this botnet in the future. However, Chalubo is far from the only botnet menace out there.
In September, researchers from Avast revealed the existence of Torii, a botnet which is considered “a level above anything we have seen before” — including Mirai.