Botnets have been growing more prevalent, and SophosLabs has discovered a new family of denial-of-service (DoS) bots used in distributed denial-of-service (DDoS) attacks. The family, dubbed Chalubo, has been used in attacks targeting internet-facing SSH servers on Linux-based systems, according to SophosLabs.
Using the ChaCha stream cipher, the attackers encrypt the bot and its Lua script, which researchers said is an indication of a Linux malware evolution. The anti-analysis techniques are principles more commonly used to thwart detection in Windows malware, though Chalubo does incorporate code from both the Xor DDoS and other Mirai malware families.
The Chalubo family attacked a SophosLabs honeypot on September 6, 2018, at which time researchers noted the bot attempting to brute-force login credentials against an SSH server. After gaining what they believed was access, the attackers issued a series of commands that revealed the bot’s complexity, dropping malicious components with a layered approach in an encryption not typical for Linux malware.
When it was initially analyzed, the malware had three components: a downloader, the main bot and the Lua command script. Since its detection, attackers have added commands that “retrieve the Elknot dropper (detected as Linux/DDoS-AZ), which in turn delivers the rest of the Chalubo (ChaCha-Lua-bot) package,” according to Sophos News.
“In addition, we now see a variety of bot versions that run on different processor architectures, including both 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. This may indicate the end of a testing period, and we may see an uptick in activity from this new family.”
In related news, NETSCOUT also discovered a botnet propagation in which attackers are brute-forcing factory default usernames and passwords to launch DDoS attacks across the internet of things (IoT).
Throughout September, researchers observed 1,065 unique username and password combinations from 129 countries. Of those, interrogating botnets revealed 1,005 combinations of usernames and passwords in addition to those on Mirai’s default list. The combinations were used indiscriminately across IoT devices. An additional key finding of the research revealed that “attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices,” NETSCOUT wrote.