RAT
Windows
Chalubo is a remote access trojan (RAT) first identified in 2018, targeting Linux-based systems and IoT devices. It combines elements from Mirai and XorDDoS, enhancing its capabilities to launch distributed denial-of-service (DDoS) attacks. Chalubo distinguishes itself by employing encryption for its communications and using Lua scripts for modular execution. Notably, it has been implicated in large-scale disruptions, such as permanently disabling over 600,000 routers in a single attack.
Chalubo integrates code from Mirai and XorDDoS to target diverse architectures, including ARM, x86, and MIPS. Its use of the ChaCha encryption algorithm secures command-and-control (C2) communications, ensuring confidentiality during operations. Lua scripts embedded within the malware provide modularity, enabling it to execute a variety of payloads and maintain operational flexibility.
Notable Incidents
In October 2023, Chalubo was involved in a catastrophic attack on over 600,000 routers within a single ISP's network. The attack rendered these devices permanently inoperable, requiring replacements. Models impacted included ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380 routers. This incident highlighted Chalubo’s destructive potential and its ability to disrupt essential services at scale.
Obfuscation and Persistence
Chalubo employs advanced obfuscation techniques to avoid detection, operating primarily in memory and erasing its files post-infection. By using process names already present on the device, it blends seamlessly with legitimate activities. Its encrypted C2 communications further complicate analysis and remediation, underscoring the sophistication of this RAT.
Regularly update firmware and software to patch vulnerabilities.
Replace default credentials with strong, unique passwords.
Monitor network traffic for anomalies indicative of DDoS activity.
Use intrusion detection systems to identify and block malicious behavior.
