Security VulnerabilitiesNews

Chalubo Botnet Can DDoS From Your Server Or IoT Device

Duncan 2687 Views 0 Comments 2 min read

Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots called Chalubo.

The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.

When Chalubo downloaders started circulating in late August, the attacker issued commands on the victim’s device to retrieve the malware, which was actually comprised of three components: A downloader; the main bot (which ran only on systems with an x86 processor architecture); and the Lua command script. As of mid October, the attacker has been issuing commands that retrieve the Elknot dropper (detected as Linux/DDoS-AZ), which in turn delivers the rest of the Chalubo (ChaCha-Lua-bot) package.

In addition, we now see a variety of bot versions that run on different processor architectures, including both 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. This may indicate the end of a testing period, and we may see an uptick in activity from this new family.

Attacks began in late August, and one assault registered at a Sophos honeypot on September 6th 2018 gave them an insight into the new bot’s capabilities.

Sophos expects that as the botnet appears to be reaching the end of a testing phase, we may expect more widespread attacks from this botnet in the future.

Further information

Sophos – https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/



Downloader URL

hxxp://117.21.191.108:8694/libsdes

Bot payload URLs

hxxp://sq520.f3322.net:8852/pc/i486
hxxp://linwudi.f3322.net:8852/pc/i486
hxxp://198.44.164.30:8852/pc/i486
hxxp://uctkone.com:8852/pc/i486
hxxp://hackucdt.com:8852/pc/i486
hxxp://q111333.top:8852/pc/i486
hxxp://103.51.13.52:8852/pc/i486
hxxp://38.27.102.254:8852/pc/i486
hxxp://58.221.55.141:8852/pc/i486
hxxp://mnbvcxzzz12.com:8852/RTEGF/i486
hxxp://mnbvcxzzz12.com:8852/RTEGF/arm
hxxp://mnbvcxzzz12.com:8852/RTEGF/mips
hxxp://mnbvcxzzz12.com:8852/RTEGF/mips64
hxxp://mnbvcxzzz12.com:8852/RTEGF/mipsel
hxxp://mnbvcxzzz12.com:8852/RTEGF/powerpc
hxxp://mnbvcxzzz12.com:8852/RTEGF/x86_64
hxxp://lkjhgfdsatryuio.com:8852/RTEGF/i486
hxxp://lkjhgfdsatryuio.com:8852/RTEGF/arm
hxxp://lkjhgfdsatryuio.com:8852/RTEGF/mips
hxxp://lkjhgfdsatryuio.com:8852/RTEGF/mips64
hxxp://lkjhgfdsatryuio.com:8852/RTEGF/mipsel
hxxp://lkjhgfdsatryuio.com:8852/RTEGF/powerpc
hxxp://lkjhgfdsatryuio.com:8852/RTEGF/x86_64
hxxp://193.201.224.238:8852/GHJFFGND/i486
hxxp://193.201.224.238:8852/GHJFFGND/arm
hxxp://193.201.224.238:8852/GHJFFGND/mips
hxxp://193.201.224.238:8852/GHJFFGND/mips64
hxxp://193.201.224.238:8852/GHJFFGND/mipsel
hxxp://193.201.224.238:8852/GHJFFGND/powerpc
hxxp://193.201.224.238:8852/GHJFFGND/x86_64
hxxp://193.201.224.238:8852/RTEGFN01/arm
hxxp://193.201.224.238:8852/RTEGFN01/i486
hxxp://193.201.224.238:8852/RTEGFN01/mips
hxxp://193.201.224.238:8852/RTEGFN01/mips64
hxxp://193.201.224.238:8852/RTEGFN01/mipsel
hxxp://193.201.224.238:8852/RTEGFN01/powerpc
hxxp://193.201.224.238:8852/RTEGFN01/x86_64
hxxp://193.201.224.238:8852/DAAADF/mips-linux
hxxp://193.201.224.202:8852/ASDFRE/arm
hxxp://193.201.224.202:8852/ASDFRE/i486
hxxp://193.201.224.202:8852/ASDFRE/mips
hxxp://193.201.224.202:8852/ASDFRE/mips64
hxxp://193.201.224.202:8852/ASDFRE/mipsel
hxxp://193.201.224.202:8852/ASDFRE/powerpc
hxxp://193.201.224.202:8852/ASDFRE/x86_64
hxxp://10afdmasaxsssaqrk.com:8852/YTRFDA/arm
hxxp://10afdmasaxsssaqrk.com:8852/YTRFDA/i486
hxxp://10afdmasaxsssaqrk.com:8852/YTRFDA/mips
hxxp://10afdmasaxsssaqrk.com:8852/YTRFDA/mips64
hxxp://10afdmasaxsssaqrk.com:8852/YTRFDA/mipsel
hxxp://10afdmasaxsssaqrk.com:8852/YTRFDA/powerpc
hxxp://10afdmasaxsssaqrk.com:8852/YTRFDA/x86_64
hxxp://7mfsdfasdmkgmrk.com:8852/JHKDSAG/arm
hxxp://7mfsdfasdmkgmrk.com:8852/JHKDSAG/i486
hxxp://7mfsdfasdmkgmrk.com:8852/JHKDSAG/mips
hxxp://7mfsdfasdmkgmrk.com:8852/JHKDSAG/mips64
hxxp://7mfsdfasdmkgmrk.com:8852/JHKDSAG/mipsel
hxxp://7mfsdfasdmkgmrk.com:8852/JHKDSAG/powerpc
hxxp://7mfsdfasdmkgmrk.com:8852/JHKDSAG/x86_64
hxxp://8masaxsssaqrk.com:8852/JHKDSAG/arm
hxxp://8masaxsssaqrk.com:8852/JHKDSAG/i486
hxxp://8masaxsssaqrk.com:8852/JHKDSAG/mips
hxxp://8masaxsssaqrk.com:8852/JHKDSAG/mips64
hxxp://8masaxsssaqrk.com:8852/JHKDSAG/mipsel
hxxp://8masaxsssaqrk.com:8852/JHKDSAG/powerpc
hxxp://8masaxsssaqrk.com:8852/JHKDSAG/x86_64
hxxp://9fdmasaxsssaqrk.com:8852/YTRFDA/arm
hxxp://9fdmasaxsssaqrk.com:8852/YTRFDA/i486
hxxp://9fdmasaxsssaqrk.com:8852/YTRFDA/mips
hxxp://9fdmasaxsssaqrk.com:8852/YTRFDA/mips64
hxxp://9fdmasaxsssaqrk.com:8852/YTRFDA/mipsel
hxxp://9fdmasaxsssaqrk.com:8852/YTRFDA/powerpc
hxxp://9fdmasaxsssaqrk.com:8852/YTRFDA/x86_64
hxxp://efbthmoiuykmkjkjgt.com:8852/RTEGFN01/arm
hxxp://efbthmoiuykmkjkjgt.com:8852/RTEGFN01/i486
hxxp://efbthmoiuykmkjkjgt.com:8852/RTEGFN01/mips
hxxp://efbthmoiuykmkjkjgt.com:8852/RTEGFN01/mips64
hxxp://efbthmoiuykmkjkjgt.com:8852/RTEGFN01/mipsel
hxxp://efbthmoiuykmkjkjgt.com:8852/RTEGFN01/powerpc
hxxp://efbthmoiuykmkjkjgt.com:8852/RTEGFN01/x86_64
hxxp://poiuytyuiopkjfnf.com:8852/ASDFRE/arm
hxxp://poiuytyuiopkjfnf.com:8852/ASDFRE/i486
hxxp://poiuytyuiopkjfnf.com:8852/ASDFRE/mips
hxxp://poiuytyuiopkjfnf.com:8852/ASDFRE/mips64
hxxp://poiuytyuiopkjfnf.com:8852/ASDFRE/mipsel
hxxp://poiuytyuiopkjfnf.com:8852/ASDFRE/powerpc
hxxp://poiuytyuiopkjfnf.com:8852/ASDFRE/x86_64
hxxp://rfjejnfjnefje.com:8852/ASDFRE/arm
hxxp://rfjejnfjnefje.com:8852/ASDFRE/i486
hxxp://rfjejnfjnefje.com:8852/ASDFRE/mips
hxxp://rfjejnfjnefje.com:8852/ASDFRE/mips64
hxxp://rfjejnfjnefje.com:8852/ASDFRE/mipsel
hxxp://rfjejnfjnefje.com:8852/ASDFRE/powerpc
hxxp://rfjejnfjnefje.com:8852/ASDFRE/x86_64
hxxp://zxcvbmnnfjjfwq.com:8852/RTEGFN01/arm
hxxp://zxcvbmnnfjjfwq.com:8852/RTEGFN01/i486
hxxp://zxcvbmnnfjjfwq.com:8852/RTEGFN01/mips
hxxp://zxcvbmnnfjjfwq.com:8852/RTEGFN01/mips64
hxxp://zxcvbmnnfjjfwq.com:8852/RTEGFN01/mipsel
hxxp://zxcvbmnnfjjfwq.com:8852/RTEGFN01/powerpc
hxxp://zxcvbmnnfjjfwq.com:8852/RTEGFN01/x86_64
hxxp://marchdom4.com/mikrotik/arm

C2 URI

hxxp://q111333.top:8852/test/res.dat
hxxp://hackucdt.com:8852/test/res.dat
hxxp://103.51.13.52:8852/test/res.dat
hxxp://193.201.224.202:8852/ASDFRE/ASDFRE.dat
hxxp://193.201.224.238:8852/GHJFFGND/GHJFFGND.dat
hxxp://193.201.224.238:8852/RTEGFN01/RTEGFN01.dat
hxxp://193.201.224.239:8852/ASDFRE/ASDFRE.dat
hxxp://193.201.224.239:8852/JHKDSAG/JHKDSAG.dat
hxxp://193.201.224.239:8852/RTEGF/RTEGF.dat
hxxp://193.201.224.239:8852/YTRFDA/YTRFDA.dat



Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.