An investigation was triggered by customer complaints about ActionTec T3200s and T3260s gateway models experiencing outages indicated by a static red light.
A week of looking at Censys scan data showed that the number of ActionTec devices connected to the internet for a certain ASN dropped by 49%, which happened at the same time as a drop of 179k IP addresses with ActionTec banners and 480k devices connected to Sagemcom, another modem from the same ISP.
The connections from the affected ASN helped find the first payload server, which suggests an infection process with several stages that targets ActionTec and Sagemcom gateway models.
The Chalubo malware exploits weak credentials or vulnerabilities on ActionTec devices to gain initial access, and then retrieves a bash script “get_scrpc,” which checks for a malicious binary “usb2rci” and opens firewall rules for communication.
If the binary is absent, “get_scrpc” downloads the main payload from a server and executes the loader script “get_strtriiusj,” which retrieves system information and sends it to a malicious domain or IP address.
The main binary, “get_fwuueicj,” creates a lock file, modifies system settings to avoid termination, and deletes itself and disguises its process name.
The Chalubo malware first attempts to connect to a list of predefined command-and-control (C2) servers with the infected machine’s architecture appended, and after a successful connection, it retrieves the next stage payload encrypted with ChaCha20 using a hardcoded key and nonce.
The downloaded stage is then written to a temporary file, executed, deleted, and entered into a sleep state for 30 minutes before attempting another C2 communication cycle.
The Chalubo botnet infects SOHO/IoT devices, deletes itself after execution to evade detection, uses ChaCha-encrypted communication to download Lua scripts and employs a two-stage C2 communication loop.
The first stage sends device information and receives the second stage script, while the second stage uses a different key for encryption. The bot can execute arbitrary Lua scripts and has embedded DDoS attack functions, although these functions were not observed being used.
Researchers at Lumen analyzed the Chalubo malware and found that it used Lua scripts to control the bot and potentially download a destructive payload, and they also discovered a network of 45 malware control panels that infected over 650,000 unique IPs in a 30-day period.
The analysis suggests that the attackers used separate control panels for different operations and only a small portion of infected devices were used in the destructive attack.
Also Read: