October 29, 2018 By Shane Schick 2 min read

Researchers observed a family of bots dubbed Chalubo launching distributed denial-of-service (DDoS) attacks to conduct brute-force entry against Linux-based systems running internet-facing SSH servers.

The Chalubo botnet, which incorporates malware such as Xor.DDoS and Mirai, was first discovered in early September. Security researchers used a honeypot server that was designed to appear vulnerable to distributed denial-of-service (DDoS) attacks and other threats to capture information about the botnet. Chalubo’s components include a downloader, a Lua command script and the main bot, which was optimized for hardware running Intel x86 processors.

Much like Windows malware, the authors have adopted anti-analysis techniques, such as using the ChaCha stream cipher for encrypting both the Lua script and the main bot. Over the past few weeks, Chalubo’s creators have also turned to the Elknot dropper to release the full malware family, and the researchers noted that the bots can now run on a variety of other central processing unit (CPU) architectures, which could suggest that the botnet will become more pervasive in the near future.

Chalubo Steals Threat Tactics From Other Malware

Linux-based systems have been targeted by cybercriminals before, but researchers said the use of the ChaCha stream, as well as its more sophisticated approach to releasing bots one layer at a time, is unusual.

In other respects, the threat actors behind the denial-of-service attacks may be trying to steal best practices from their predecessors. The researchers noted that certain functions that allow the Xor.DDoS family to achieve persistence were copied in the Chalubo code, for example. Similarly, code from Mirai had been copied to the main Chalubo bot.

How to Harden IT Environments Against Distributed Denial-of-Service Attacks

Denial-of-service attacks can cripple website performance and bring other areas of enterprise IT to a grinding halt, so if Chalubo was found via a honeypot, its creators are likely aiming for real targets, too.

To harden their IT environments against DDoS attacks, IBM experts suggest taking a layered approach to enforcing security policies with next-generation firewalls. This strategy enables security teams to identify DDoS activity at a particular network, application or session. As threats against Linux-based systems become more complex, chief information security officers (CISOs) should think about how they can become more granular in how they define and customize security rules based on network traffic patterns that emerge.

Finally, organizations should keep applications and operating systems running at the most up-to-date patch level, ensure that antivirus software and associated files are current, and monitor the environment for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory.

Source: Sophos Labs

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today