Pierluigi Paganini October 24, 2018

Security experts from Sophos Labs have spotted a new piece of IoT malware tracked as Chalubo that is attempting to recruit devices into a botnet used to launch DDoS attacks.

Security experts from Sophos Labs have spotted a new piece of Linux malware tracked as Chalubo (ChaCha-Lua-bot) that is targeting IoT devices in an attempt to recruit them into a botnet used to launch DDoS attacks.

The new IoT malware borrows code from the Xor.DDoS and Mirai bots, it also implements fresh evasion techniques, for example, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.

“Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo.” reads the analysis from Sophos Labs.

“The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher.”

The malware was first spotted in late August, at the time operators were issuing commands to instruct devices into downloading a malicious code that was composed of three components, a downloader, the main bot, and the Lua command script. The attackers were using brute-force attacks (using the root:admin credential) on SSH servers to distribute the malware.

“These types of simple attacks on our honeypots are quite common, but what made this stand out was the libsdes sample.” continues the analysis.

“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks. Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware.”

The IoT malware ran only on systems with an x86 architecture.

Starting from the mid-October, operators have been issuing commands that retrieve the Elknot dropper that is used to delivers the remaining part of the Chalubo (ChaCha-Lua-bot) package.

The most important novelty is represented by the discovery of a variety of bot versions, designed to target different architectures, including 32-bit and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.

This circumstance leads into believing that the attackers were testing the bot in August and now are expanding the list of potential targets in the current campaign.

Experts noticed that the downloader would also drop a script, in the same way, the  Xor.DDoS bot family does, likely authors borrowed the code from the old threat. Attackers also copied a few code snippets from the infamous Mirai bot, such as some of the randomizing functions and an extended form of the util_local_addr function.

Researchers noticed that the majority of code in bot is new, the authors focused on their own Lua handling for launching DoS attacks with DNS, UDP, and SYN flavours.

The bot’s Lua script first connects the command and control (C&C) server to provide details on the infected machine and to receive further instructions. The script would also download, decrypt, and execute whatever Lua script it finds.

To mitigate the threat, experts recommend that sysadmins of SSH servers, including IoT devices, change any default passwords on those systems.

Further details, including IoCs are reported in the analysis published by Sophos.

Pierluigi Paganini

(Security Affairs – Chalubo, IoT botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]