14 DAY TRIAL // A newly discovered Linux malware has been observed while attacking and infecting an SSH server honeypot with a new Denial of Service (DoS) bot strain dubbed Chalubo and used by the bad actors to perform large-scale Distributed Denial of Service (DDoS) attacks.
As Sophos's Timothy Easton discovered, the actors behind the Chalubo bot use code from both from Xor.DDoS and Mirai malware families and they encrypt the bot with the help of the ChaCha stream cipher.
This type of obfuscation technique is designed to obstruct analysis, a common trait of malware developed for the Windows platform but very rarely seen when it comes to Linux malicious tools.
Sophos initially observed the Chalubo botnet in action at the end of August 2018 when the attackers were using a three components based propagation method (i.e., a downloader, the bot, and a command script), while in October the DDoS bot was propagating itself using the Elknot dropper which downloads the Chalubo payload.
Moreover, while at the start of the attack Chalubo's authors designed it to only target x86 platforms, in October the botnet has already evolved to infiltrate and compromise 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC architectures.
The Chalubo bot is continuously updated with new features and support for new architectures
"We recorded the attack on the 6th of September 2018 with the bot attempting to brute force login credentials against an SSH server; our honeypots present the attacker with the appearance of a real shell that accepts a wide range of credentials," said Sophos. "The attackers used the combination of root:admin to gain a shell…or at least, that’s what they thought."
Once the SSH server is compromised, the dropper script will download the Chalubo ELF binary payload which it decrypts using the ChaCha decryption module.
Subsequently, the payload will be unarchived with the help of LZMA and executed using the execve program, preparing the server to receive commands that would make it part of the DDoS botnet.
Given that the actors behind Chalubo use default user/password combinations to brute-force their way into SSH servers, the easiest way of protecting your machines is to change their default passwords to custom ones or use SSH keys if possible.