Over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours 

The Chalubo trojan destroyed over 600,000 SOHO routers from a single ISP, researchers from Lumen Technologies reported.

Between October 25 and October 27, 2023, the Chalubo malware destroyed more than 600,000 small office/home office (SOHO) routers belonging to the same ISP.

Black Lotus did not name the impacted ISP, however, Bleeping Computer speculates the attack is linked to the Windstream outage that occurred during the same timeframe.

Chalubo (ChaCha-Lua-bot) is a Linux malware that was first spotted in late August 2018 by Sophos Labs while targeting IoT devices. Threat actors aimed at creating a botnet used to launch DDoS attacks.

The malware borrows code from the Xor.DDoS and Mirai bots, it also implements fresh evasion techniques, such as encrypting both the main component and its corresponding Lua script using the ChaCha stream cipher.

The attackers used brute-force attacks (using the root:admin credential) on SSH servers to distribute the bot.

In 2023 attacks observed by Lumen, the bot targeted ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380 router models.

Public scan data confirmed that took offline 49% of all modems from the impacted ISP’s autonomous system number (ASN) during the attacks. The infections rendered the devices inoperable, and required a hardware-based replacement.

Lumen researchers speculate that the threat actors used commodity malware instead of custom tools to make attribution difficult. At the time of the report, the researchers have yet to find a link to known nation-state activity clusters. The experts believe with high confidence that the malicious firmware update was a deliberate act intended to cause an outage. The attack only impacted a single ASN.

The attack roughly damaged 179,000 ActionTec and 480,000 Sagemcom routers. Most of the infections are in the US, Brazil and China.

“Our analysis revealed that one specific ASN had a drop of roughly 49% in the number of devices exposed to the internet.” reads the analysis published by Lumen. “We compared the banner hashes that were present on this ASN on October 27, to the banner hashes present on October 28th and observed a drop of ~179k IP addresses that had an ActionTec banner. This included a drop of ~480k devices associated with Sagemcom, likely the Sagemcom F5380 as both this model and the ActionTec modems were both modems issued by the ISP.”

Chalubo botnet

The researchers did not discover an exploit used for initial access, they speculate threat actor likely used weak credentials or exploited an exposed administrative interface.

The first-stage payload is a bash script (“get_scrpc”) that fetches a second script called “get_strtriiush.” get_strtriiush retrieves and executes the primary bot payload, “Chalubo” (“mips.elf”). Chalubo runs in the memory of the targeted device and wipes all files from the disk. It also changes the process name after its execution to avoid detection.

The researchers noticed that the newer version of the malware does not maintain persistence on the infected devices.

Between September and November 2023, the research discovered that there were about 45 malware panels exposed on the internet. While 28 of the panels interacted with 10 or fewer bots, the top ten panels interacted with anywhere between ~13,500 to ~117,000 unique IP addresses over a 30-day timeframe. The analysis of the telemetry associated with those IP addresses revealed that over 650K unique IP addresses had contact with at least one controller over a 30-day period ending on November 3.

95% of the bots communicated with only one control panel a circumstance that suggests the entity behind these operations had distinct silos of operations.

“The event was unprecedented due to the number of units affected – no attack that we can recall has required the replacement of over 600,000 devices. In addition, this type of attack has only ever happened once before, with AcidRain used as a precursor to an active military invasion.” concludes the report. “At this time, we do not assess this to be the work of a nation-state or state-sponsored entity. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. The second unique aspect is that this campaign was confined to a particular ASN.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chalubo)