Linux/Chalubo

Forum for analysis and discussion about malware.
Post Reply
User avatar
Fulrem
Posts: 6
Joined: Thu Feb 28, 2013 10:00 pm

Linux/Chalubo

Post by Fulrem » Tue Oct 23, 2018 1:37 am

Analysis: https://news.sophos.com/en-us/2018/10/2 ... ot-device/

Payload downloads of bot & lua c2 script are chacha20-ietf encrypted with the initial key state counter field initialised to 1 instead of 0, counter field treated as an arg to the decrypt function so may change in the future.

VT showing limited detection on the bots:
1/55 - https://www.virustotal.com/en/file/b9d3 ... /analysis/
2/55 - https://www.virustotal.com/en/file/366a ... /analysis/
4/55 - https://www.virustotal.com/en/file/050b ... /analysis/

User avatar
r3dbU7z
Posts: 6
Joined: Wed Sep 09, 2015 1:24 pm
Location: Cyberspace

Re: Linux/Chalubo

Post by r3dbU7z » Wed Oct 24, 2018 2:37 pm

Maybe it will be interesting to someone...

https://www.virustotal.com/en/file/8fbd ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
r3dbU7z
Posts: 6
Joined: Wed Sep 09, 2015 1:24 pm
Location: Cyberspace

Re: Linux/Chalubo

Post by r3dbU7z » Wed Nov 21, 2018 4:38 pm

One more similar sample.

https://www.virustotal.com/en/file/0779 ... /analysis/

PS/ Please, ban me on this forum, otherwise I will have the opportunity to continue this spam
You do not have the required permissions to view the files attached to this post.

Post Reply