New Chalubo malware can launch DDoS attacks against IoT devices

  • The new IoT malware comes with enhanced capabilities and borrows code from the Xor.DDoS and Mirai botnets.
  • To mitigate the threat, experts have advised that the default passwords of SSH servers be changed.

A new piece of Linux malware dubbed Chalubo has been found targeting IoT devices in an attempt to launch DDoS attacks. The new IoT malware comes with enhanced capabilities and borrows code from the Xor.DDoS and Mirai botnets.

Security experts at Sophos Lab first discovered the Chalubo malware family while investigating one of its honeypots on September 6, 2018. They found that the cybercriminals operating the malware sed brute force attacks against SSH (Secure Shell) servers to gain access to systems. A combination of words containing ‘root’ and ‘admin’ was used repeatedly to crack into a server.

“SophosLabs first discovered the Chalubo family from an attack on one of our honeypots, which we use to collect data on malicious activity. We recorded the attack on the 6th of September 2018 with the bot attempting to brute force login credentials against an SSH server; our honeypots present the attacker with the appearance of a real shell that accepts a wide range of credentials,” Sophos researchers said in a report.

The malware comes packed with a highly-effective anti-detection technique. The authors of the malware have encrypted both the key component of the malware and its corresponding Lua script using the ChaCha stream cipher encryption process.

“This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection,” the researchers added.

Working module

The malware compromises of three components namely a downloader, the main bot, and the Lua command script. The bot runs only on systems with an x86 architecture.

“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks. Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware,” the security experts said.

When executed, the bot’s Lua command script first connects to the command and control (C2) server to provide details of the infected machine and to receive information.


To mitigate the threat, experts have advised the sysadmins of SSH servers to change the default passwords and protect them with unpredictable and strong passwords. In addition, it is also advisable to keep the system regularly updated.

“Since the primary method of this bot infecting systems is through the use of the common username and password combinations against SSH servers, we recommend that sysadmins of SSH servers (including embedded devices) change any default passwords on those devices because the brute force attempts to cycle through common, publicly known default passwords,” the researchers added.