A newly discovered linux malware has been observed while attacking and infecting an SSH server honeypot with anew Denial of Service (DoS) bot strain dubbed Chalubo and used by the bad actors to perform large-scale Distributed Denial of Service (DDoS) attacks.
As Sophos'sTimothy Easton discovered , the actors behind the Chalubo bot use code from bothfrom Xor.DDoS and Mirai malware families and they encrypt the bot with the help of theChaCha stream cipher.
This type of obfuscation technique is designed to obstruct analysis, a common trait of malware developed for the windows platform but very rarely seen when it comes to Linux malicious tools.
Sophos initially observed the Chalubo botnet in action at the end of August 2018 when the attackers were using a three components based propagation method (i.e., a downloader, the bot, and a command script), while in October the DDoS bot was propagating itself using theElknot dropper which downloads theChalubo payload.
Moreover, while at the start of the attack Chalubo's authors designed it to only targetx86 platforms, in October the botnet has already evolved to infiltrate and compromise32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC architectures.
The Chalubo bot is continuously updated with new features and support for new architectures"Werecorded the attack on the 6th of September 2018 with the bot attempting to brute force login credentials against an SSH server; our honeypots present the attacker with the appearance of a real shell that accepts a wide range of credentials," said Sophos. "The attackers used the combination of root:admin to gain a shell…or at least, that’s what they thought."
Once the SSH server is compromised, the dropper script will download the Chalubo ELF binary payload which it decrypts using the ChaCha decryption module.
Subsequently, the payload will be unarchived with the help of LZMA and executed using theexecveprogram, preparing the server to receive commands that would make it part of the DDoS botnet.
Given that the actors behind Chalubo usedefaultuser/password combinations to brute-force their way into SSH servers, the easiest way of protecting your machines is to change their default passwords to custom ones or use SSH keys if possible.
