The Chalubo trojan destroyed over 600,000 SOHO routers from a single ISP, researchers from Lumen Technologies reported. <\/h2>\n\n\n\n
Between October 25 and October 27, 2023, the Chalubo<\/a> malware destroyed more than 600,000 small office\/home office (SOHO) routers belonging to the same ISP.<\/p>\n\n\n\n
Black Lotus did not name the impacted ISP, however, Bleeping Computer speculates<\/a> the attack is linked to the Windstream outage that occurred during the same timeframe.
Chalubo<\/a> (ChaCha-Lua-bot) is a Linux malware that was first spotted<\/a> in late August 2018 by Sophos Labs while targeting IoT devices. Threat actors aimed at creating a botnet used to launch DDoS attacks.<\/p>\n\n\n\n
The malware borrows code from\u00a0the\u00a0Xor.DDoS<\/a>\u00a0and\u00a0Mirai<\/a>\u00a0bots, it also implements fresh evasion techniques, such as encrypting both the main component and its corresponding Lua script using the ChaCha stream cipher.
“Our analysis\u00a0revealed\u00a0that\u00a0one\u00a0specific\u00a0ASN\u00a0had a drop of\u00a0roughly 49%\u00a0in the number of devices exposed to the internet.” reads the analysis<\/strong><\/a> published by Lumen. “We\u00a0compared the banner hashes that were present on this\u00a0ASN on October 27,\u00a0to the banner hashes present on October 28th\u00a0and\u00a0observed\u00a0a drop of ~179k IP addresses that had an\u00a0ActionTec\u00a0banner.\u00a0This included\u00a0a drop of ~480k devices associated with\u00a0Sagemcom,\u00a0likely the\u00a0Sagemcom\u00a0F5380 as\u00a0both this model and\u00a0the\u00a0ActionTec\u00a0modems were both\u00a0modems issued by the ISP.”<\/em>
![\"Chalubo](\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2024\/05\/image-42.png?ssl=1\")
<\/a><\/figure>\n\n\n\nThe researchers did not discover an exploit used for initial access, they speculate threat actor likely used weak credentials or exploited an exposed administrative interface.<\/p>\n\n\n\n
The first-stage payload is a bash script (“get_scrpc”) that fetches a second script called “get_strtriiush.” get_strtriiush retrieves and executes the primary bot payload, “Chalubo” (“mips.elf”). Chalubo runs in the memory of the targeted device and wipes all files from the disk. It also changes the process name after its execution to avoid detection. <\/p>\n\n\n\n
The researchers noticed that the newer version of the malware does not maintain persistence on the infected devices.<\/p>\n\n\n\n
Between September and November 2023, the research discovered that there were about 45 malware panels exposed on the internet. While 28 of the panels interacted with 10 or fewer bots, the top ten panels interacted with anywhere between ~13,500 to ~117,000 unique IP addresses over a 30-day timeframe. The analysis of the telemetry associated with those IP addresses revealed that over 650K unique IP addresses had contact with at least one controller over a 30-day period ending on November 3. <\/p>\n\n\n\n
95% of the bots communicated with only one control panel a circumstance that suggests the entity behind these operations had distinct silos of operations.<\/p>\n\n\n\n
“The event was unprecedented due to the number of units affected \u2013 no attack that we can recall has required the replacement of over 600,000 devices. In addition, this type of attack has only ever happened once before, with AcidRain<\/a> used as a precursor to an active military invasion.” concludes the report. “At this time, we do not assess this to be the work of a nation-state or state-sponsored entity. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon<\/a>, or SeaShell Blizzard.\u00a0The second unique aspect is that this campaign was confined to a particular ASN.”
Follow me on Twitter:\u00a0@securityaffairs<\/strong><\/a>\u00a0and\u00a0Facebook<\/strong><\/a>\u00a0and\u00a0Mastodon<\/a>
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0Chalubo)<\/strong>