Connect with us

Hi, what are you looking for?



DDoS-Capable IoT Botnet ‘Chalubo’ Rises

A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.

A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.

Dubbed Chalubo (ChaCha-Lua-bot), the malware incorporates code from the Xor.DDoS and Mirai families, but also brings improvements in the form of anti-analysis techniques. Specifically, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.

In late August, the attackers were observed using three malicious components for the threat, namely a downloader, the main bot, and the Lua command script. The bot ran only on systems with an x86 architecture.

Several weeks ago, the cybercriminals started using the Elknot dropper to deliver the rest of Chalubo. More importantly, Sophos Labs security researchers observed a variety of bot versions, designed to target different architectures, including 32-bit and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.

Due to the expanded target list, Sophos has concluded that the malware author might have been testing the bot at first, but that the trial has ended and an uptick in activity from this new threat is to be expected.

In early September, the malware was being distributed through brute-force attacks on SSH servers. The attackers were using the root:admin credential pair to compromise devices, Sophos reveals, based on an attack on their honeypot.

“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks. Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware,” the researchers note.

Advertisement. Scroll to continue reading.

One of the files the malware’s downloader would drop is a script, and the manner in which this action is performed is an exact match to the behavior of the Xor.DDoS family. In fact, it appears that Chalubo copied the code responsible for persistence from the older malware.

Furthermore, the researchers discovered that the Chalubo authors also copied a few code snippets from Mirai, including some of the randomizing functions.

However, the majority of functional code in the new malware family is new, as the author mainly focused on the Lua handling for performing DDoS attacks with DNS, UDP, and SYN floods.

The bot’s Lua script was designed to call home to the command and control (C&C) server to provide details on the infected machine and to receive further instructions. It would also download, decrypt, and execute whatever Lua script it finds.

“Since the primary method of this bot infecting systems is through the use of common username and password combinations against SSH servers, we recommend that sysadmins of SSH servers (including embedded devices) change any default passwords on those devices, because the brute force attempts to cycle through common, publicly known default passwords,” Sophos concludes.

Related: Meet Torii, a Stealthy, Versatile and Highly Persistent IoT Botnet

Related: Hide ‘N Seek IoT Botnet Now Targets Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.