Botnets have been growing more prevalent, and SophosLabs has discovered a new family of denial-of-service (DoS) bots used in distributed denial-of-service (DDoS) attacks. The family, dubbed Chalubo, has been used in attacks targeting internet-facing SSH servers on Linux-based systems, according to SophosLabs.
Using the ChaCha stream cipher, the attackers encrypt the bot and its Lua script, which researchers said is an indication of a Linux malware evolution. The anti-analysis techniques are principles more commonly used to thwart detection in Windows malware, though Chalubo does incorporate code from both the Xor DDoS and other Mirai malware families.
The Chalubo family attacked a SophosLabs honeypot on September 6, 2018, at which time researchers noted the bot attempting to brute-force login credentials against an SSH server. After gaining what they believed was access, the attackers issued a series of commands that revealed the bot’s complexity, dropping malicious components with a layered approach in an encryption not typical for Linux malware.