Chalubo DDoS Botnet
This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
Affected platforms
The following platforms are known to be affected:
Threat details
The threat actors operating Chalubo are using brute force attacks or default credentials to gain access to target devices. Once this is done, they issue several commands to close or suspend security- and encryption-related services before executing a loader module. This module spawns several crontab entries to maintain persistence before downloading the ChaCha-encrypted Chalubo payload. This is then decrypted and installed.
Once installed, Chalubo will connect to command and control server before downloading a secondary Lua script detailing the target IP address and type of DDoS attack to perform. At the time of publication, only SYN flood DDoS attacks have been observed, although Chalubo appears to be capable of a wider range of attacks.
Remediation advice
To avoid devices becoming part of a botnet, organisations should:Remediation steps
| Type | Step |
|---|---|
To prevent and detect a trojan infection, ensure that:
To protect against a distributed denial-of-service (DDoS) attack, organisations should ensure:
Should an organisation suspect it is subject to an active DDoS attack, they should ensure that every effort is made to stop the attack and restore service. However, care should be taken to ensure that the attackers are not using the DDoS attack as a distraction whilst other, potentially more sensitive, systems are exploited. Monitoring of critical systems is recommended, including the use of host-based intrusion prevention and detection systems (HIPS/HIDS) where appropriate. |
Last edited: 17 February 2020 12:39 pm