Researchers observed a family of bots dubbed Chalubo launching distributed denial-of-service (DDoS) attacks to conduct brute-force entry against Linux-based systems running internet-facing SSH servers.

The Chalubo botnet, which incorporates malware such as Xor.DDoS and Mirai, was first discovered in early September. Security researchers used a honeypot server that was designed to appear vulnerable to distributed denial-of-service (DDoS) attacks and other threats to capture information about the botnet. Chalubo’s components include a downloader, a Lua command script and the main bot, which was optimized for hardware running Intel x86 processors.

Much like Windows malware, the authors have adopted anti-analysis techniques, such as using the ChaCha stream cipher for encrypting both the Lua script and the main bot. Over the past few weeks, Chalubo’s creators have also turned to the Elknot dropper to release the full malware family, and the researchers noted that the bots can now run on a variety of other central processing unit (CPU) architectures, which could suggest that the botnet will become more pervasive in the near future.

Chalubo Steals Threat Tactics From Other Malware

Linux-based systems have been targeted by cybercriminals before, but researchers said the use of the ChaCha stream, as well as its more sophisticated approach to releasing bots one layer at a time, is unusual.

In other respects, the threat actors behind the denial-of-service attacks may be trying to steal best practices from their predecessors. The researchers noted that certain functions that allow the Xor.DDoS family to achieve persistence were copied in the Chalubo code, for example. Similarly, code from Mirai had been copied to the main Chalubo bot.

How to Harden IT Environments Against Distributed Denial-of-Service Attacks

Denial-of-service attacks can cripple website performance and bring other areas of enterprise IT to a grinding halt, so if Chalubo was found via a honeypot, its creators are likely aiming for real targets, too.

To harden their IT environments against DDoS attacks, IBM experts suggest taking a layered approach to enforcing security policies with next-generation firewalls. This strategy enables security teams to identify DDoS activity at a particular network, application or session. As threats against Linux-based systems become more complex, chief information security officers (CISOs) should think about how they can become more granular in how they define and customize security rules based on network traffic patterns that emerge.

Finally, organizations should keep applications and operating systems running at the most up-to-date patch level, ensure that antivirus software and associated files are current, and monitor the environment for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory.

Source: Sophos Labs