Security Experts:

Connect with us

Hi, what are you looking for?



DDoS-Capable IoT Botnet ‘Chalubo’ Rises

A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.

A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.

Dubbed Chalubo (ChaCha-Lua-bot), the malware incorporates code from the Xor.DDoS and Mirai families, but also brings improvements in the form of anti-analysis techniques. Specifically, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.

In late August, the attackers were observed using three malicious components for the threat, namely a downloader, the main bot, and the Lua command script. The bot ran only on systems with an x86 architecture.

Several weeks ago, the cybercriminals started using the Elknot dropper to deliver the rest of Chalubo. More importantly, Sophos Labs security researchers observed a variety of bot versions, designed to target different architectures, including 32-bit and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.

Due to the expanded target list, Sophos has concluded that the malware author might have been testing the bot at first, but that the trial has ended and an uptick in activity from this new threat is to be expected.

In early September, the malware was being distributed through brute-force attacks on SSH servers. The attackers were using the root:admin credential pair to compromise devices, Sophos reveals, based on an attack on their honeypot.

“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks. Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware,” the researchers note.

One of the files the malware’s downloader would drop is a script, and the manner in which this action is performed is an exact match to the behavior of the Xor.DDoS family. In fact, it appears that Chalubo copied the code responsible for persistence from the older malware.

Furthermore, the researchers discovered that the Chalubo authors also copied a few code snippets from Mirai, including some of the randomizing functions.

However, the majority of functional code in the new malware family is new, as the author mainly focused on the Lua handling for performing DDoS attacks with DNS, UDP, and SYN floods.

The bot’s Lua script was designed to call home to the command and control (C&C) server to provide details on the infected machine and to receive further instructions. It would also download, decrypt, and execute whatever Lua script it finds.

“Since the primary method of this bot infecting systems is through the use of common username and password combinations against SSH servers, we recommend that sysadmins of SSH servers (including embedded devices) change any default passwords on those devices, because the brute force attempts to cycle through common, publicly known default passwords,” Sophos concludes.

Related: Meet Torii, a Stealthy, Versatile and Highly Persistent IoT Botnet

Related: Hide ‘N Seek IoT Botnet Now Targets Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.