SophosLabs identifies Chalubo Botnet that uses servers or smart IoT devices for DDOS attacks

SophosLabs, one of the most prominent company in the cybersecurity field, has reported that it has recorded an increase in attacks which are targeting Internet facing SSH servers based on the popular Linux operating system. These bots belong to the infamous DDOS attack type and are labeled as Chalubo.

The process is carried out using Lua script with the main bot component encrypted using the famous ChaCha stream cipher. Recent adoptions of anti-analysis techniques point to a gradual increase in the number of malwares developed for Linux, as Windows-based threats can be detected more frequently due to the operating system being more popular.

The recently discovered Chalubo bot retains a part of code from the Xor/DDOS and Mirai malware family. It was further found that the bot started downloading the malware in late of August and issued remote commands to victims device to identify and retrieve three major components. The Chalubo bot comprises three main components: a downloader, a bot (designed to run on the widely used x86 architecture) and the Lua script responsible for triggering the action.

In the past few days, the attackers have been triggering the commands which are used to download the Elknot dropper (which is detected as Linux/DDoS-AZ), which is responsible for the delivery of the Chalubo (ChaCha-Lua-Bot). 

Chalubo was reported exclusively on the worlds most popular x86 architecture based systems but in a recent development reported by Sophos Labs has pointed out that it is now capable of executing the entire process on various architectures such as x86_64, MIPS, MIPSSEL and on both 32-bit and 64-bit ARM architecture, which is used in mobile chipsets all over the world. This could signify there will be an increase in the activity of Chalubo bot.

This might mean that the attackers were actually testing the bot by targeting specific machines and are now done with the same. Experts at Sophos Labs warn of an increased number of attacks from this new family of DDoS attackers. Chalubo uses the well known SYN flood DDoS attack type. The script used in the injection process matches precisely like that used in  Xor.DDoS family with DelService & AddService functions adopted from the same.

The primary method used by attackers is through the use of a combination of common usernames and passwords, similar to those used in Bruteforce or other dictionary-based attacks. The team at Sophos has advised all sysadmins, who are currently dealing with SSH servers, including those responsible for maintaining the same on embedded and mobile devices to change the passwords as soon as possible since the bot attempts to flood the machine with default and publicly known passwords. 

Also, if possible, admins are urged to encourage the use of SSH keys for login purposes. One last thing to keep in mind is to ensure that the machine is always updated and has all the security patches installed. Sophos Endpoint and server protection has categorized these bots as-as Linux/Chalubo-*.

Refer to Sophos blog post for inner working of this malware.