Threat Watch

Chalubo Botnet

A new botnet dubbed Chalubo has surfaced and is targeting poorly-secured IoT devices and servers to conduct DDoS attacks. Chalubo adopts obfuscation techniques that are more commonly found in Windows-based malware and also uses code from the Xor.DDoS and Mirai botnets. The botnet contains a downloader, the main bot within the botnet runs on an x86 processor architecture, and a Lua command script. The downloader in Chalubo is the Elknot dropper which was previously linked to the Elasticsearch botnet. Different variants of Chalubo have been seen operating on other processors which include 32 and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. This is believed to be the end of a testing period. Attacks were first observed in August when the botnet attempted to brute-force and secure the credentials of a honeypot. The attackers thought that they were able to gain a shell via root admin, however researchers were actually recording how malicious components are installed and commands that were used to stop firewall protections. According to researchers, “The main bot component and the corresponding Lua command script are encrypted using the ChaCha stream cipher, and when the attack against the honeypot was launched, one particular command — libsdes — stood out.” Once executed, libsdes will create an empty file to stop the malware from accidentally executing more than once. The botnet will then attempt to copy itself with a random string of letters and numbers in “/usr/bin/.” This is done to remain persistent and to survive reboots. Following this, a script will be dropped and executed to provide additional persistence. Further investigation revealed that there are small pieces of Mirai, but most of the code is new. The Lua script will communicate with the botnet’s C&C server to decrypt, download, and execute any other script that it finds.