October 29, 2018 By Shane Schick 2 min read

Researchers observed a family of bots dubbed Chalubo launching distributed denial-of-service (DDoS) attacks to conduct brute-force entry against Linux-based systems running internet-facing SSH servers.

The Chalubo botnet, which incorporates malware such as Xor.DDoS and Mirai, was first discovered in early September. Security researchers used a honeypot server that was designed to appear vulnerable to distributed denial-of-service (DDoS) attacks and other threats to capture information about the botnet. Chalubo’s components include a downloader, a Lua command script and the main bot, which was optimized for hardware running Intel x86 processors.

Much like Windows malware, the authors have adopted anti-analysis techniques, such as using the ChaCha stream cipher for encrypting both the Lua script and the main bot. Over the past few weeks, Chalubo’s creators have also turned to the Elknot dropper to release the full malware family, and the researchers noted that the bots can now run on a variety of other central processing unit (CPU) architectures, which could suggest that the botnet will become more pervasive in the near future.

Chalubo Steals Threat Tactics From Other Malware

Linux-based systems have been targeted by cybercriminals before, but researchers said the use of the ChaCha stream, as well as its more sophisticated approach to releasing bots one layer at a time, is unusual.

In other respects, the threat actors behind the denial-of-service attacks may be trying to steal best practices from their predecessors. The researchers noted that certain functions that allow the Xor.DDoS family to achieve persistence were copied in the Chalubo code, for example. Similarly, code from Mirai had been copied to the main Chalubo bot.

How to Harden IT Environments Against Distributed Denial-of-Service Attacks

Denial-of-service attacks can cripple website performance and bring other areas of enterprise IT to a grinding halt, so if Chalubo was found via a honeypot, its creators are likely aiming for real targets, too.

To harden their IT environments against DDoS attacks, IBM experts suggest taking a layered approach to enforcing security policies with next-generation firewalls. This strategy enables security teams to identify DDoS activity at a particular network, application or session. As threats against Linux-based systems become more complex, chief information security officers (CISOs) should think about how they can become more granular in how they define and customize security rules based on network traffic patterns that emerge.

Finally, organizations should keep applications and operating systems running at the most up-to-date patch level, ensure that antivirus software and associated files are current, and monitor the environment for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory.

Source: Sophos Labs

More from

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today