Botnets have been growing and is very common, and SophosLabs has discovered a new family of denial-of-services (DoS) bots which are used in the distributed denial-of-service (DDoS) attacks. The Family, dubbed Chalubo, which has been used in the several attacks that is specially targeting internet-facing SSH servers on the Linux based systems, according to SophosLabs.
Using the ChaCha stream cipher, where the attackers can encrypt the bot and its Lua script, which the researchers has reported that it is an indication of a Linux malware evolution. The anti analysis techniques are principals more well known that are used to thwart detection in Windows malware, though Chalubo does incorporate code from both the Xor DDoS and other Mirai malware families.
The Chalubo family attacked a SophosLabs honeypot on September 6, 2018, at which the researchers has noted down that the bot is attempting to brute-force login credentials against an SSH server. After gaining an access, the attackers have issued a number of series of commands which has revealed the bot’s complexity, which is dropping the malicious components with a layered approach in an encryption not typical for Linux malware.
When at the start it was analyzed the malware had three main components: a downloader, the main bot and the Lua command script. Since its detection, the attackers have added commands that “retrieve the Elknot dropper (detected as Linux/DDoS-AZ), which then it delivers the rest of Chalubo (ChaCha-Lua-Bot) package,” according to the SophosNews.
“In addition, we now see a variety of bot version that runs on the different processor architecture, including both 32 and 64 bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. This may indicate the end of a testing period, and we may see a uptick in activity from this new family.”
In related news, NETSCOUT also has discovered a botnet propagation in which attackers are brute-forcing factory default usernames and passwords to launch DDoS attacks across the internet of things (IoT).