Few days ago, Black Lotus Labs announced, through a recent report, details about a vulnerability that left more than 600,000 routers useless for small and home offices.
And is that during a 72 hour period (between October 25 and 27, 2023) more than 600,000 routers were disabled by a remote access trojan (RAT) known as «Chalubo». This event, which took place, resulted in permanent inoperability of the infected devices and the need for their physical replacement.
About the incident
Black Lotus Labs reports in its publication that the attack was carried out using the Chalubo malware, known since 2018, organizes centralized control of the botnet and is used on Linux devices based on 86- and 86-bit ARM, x64, x32_64, MIPS, MIPSEL and PowerPC architectures.
Chalubo malware involves three stages of implementation:
- Starting the Bash Script:
- Upon exploitation of a vulnerability or use of compromised credentials, a bash script is executed on the compromised device.
- This script checks for the presence of the malicious executable file
/usr/bin/usb2rci. If the file is not present, the script disables packet filters withiptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT;.
- Get_scrpc Script Evaluation:
- The script
get_scrpcevaluates the MD5 checksum of the fileusb2rci. - If the checksum does not match a predefined value, the script loads and runs a second script,
get_fwuueicj.
- The script
- Execution of the get_fwuueicj Script:
- This script checks for the presence of the file
/tmp/.adiisu. If it is absent, create it. - It then loads the main malware executable file, compiled for the MIPS R3000 CPU, into the directory
/tmpwith the namecrrsand starts it.
- This script checks for the presence of the file
Our analysis identified “Chalubo,” a Remote Access Trojan (RAT), as the primary payload responsible for the event. This Trojan, first identified in 2018, employed clever techniques to conceal its activity; removed all files from disk to run in memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server
As to Chalubo behavior, sand mentions that it performs the:
- Collection and sending of information: The Chalubo executable collects host information such as MAC address, device ID, software version, and local IP addresses and sends it to an external server.
- Download and run the Main component: Chalubo checks the availability of the control servers and downloads the main malware component, which is decrypted using the ChaCha20 stream cipher.
- Running lua scripts: The core component can download and execute arbitrary Lua scripts from the control server, determining future actions of the device, such as participating in DDoS attacks.
As such there is no concrete information about how exactly the devices were compromised to install the malware and the researchers about it They assume that access to the devices could have been obtained due to untrusted credentials provided by the vendor, the use of a generic password to enter the administration interface, or the exploitation of unknown vulnerabilities. Since attackers with access to the botnet's control servers likely took advantage of Chalubo's ability to execute Lua scripts, overwriting the device's firmware and disabling it.
Besides that, Black Lotus Labs discusses how this attack had significant consequences, including the need to replace hardware equipment, especially in rural and underserved areas, as a network analysis after the incident revealed that 179 thousand ActionTec devices (T3200 and T3260) and 480 thousand Sagemcom devices (F5380) were replaced by equipment from another manufacturer.
This incident is notable not only for the magnitude of the attack, but also because, despite the prevalence of the Chalubo malware (with over 330,000 recorded IPs accessing control servers as of early 2024), malicious actions were limited to a single provider, suggesting a very specific attack.
finally if you are interested in knowing more about it, you can check the details in the following link