Page 1 of 1

Linux/Chalubo

PostPosted:Tue Oct 23, 2018 1:37 am
by Fulrem
Analysis: https://news.sophos.com/en-us/2018/10/2 ... ot-device/

Payload downloads of bot & lua c2 script are chacha20-ietf encrypted with the initial key state counter field initialised to 1 instead of 0, counter field treated as an arg to the decrypt function so may change in the future.

VT showing limited detection on the bots:
1/55 - https://www.virustotal.com/en/file/b9d3 ... /analysis/
2/55 - https://www.virustotal.com/en/file/366a ... /analysis/
4/55 - https://www.virustotal.com/en/file/050b ... /analysis/

Re: Linux/Chalubo

PostPosted:Wed Oct 24, 2018 2:37 pm
by r3dbU7z
Maybe it will be interesting to someone...

https://www.virustotal.com/en/file/8fbd ... /analysis/

Re: Linux/Chalubo

PostPosted:Wed Nov 21, 2018 4:38 pm
by r3dbU7z
One more similar sample.

https://www.virustotal.com/en/file/0779 ... /analysis/

PS/ Please, ban me on this forum, otherwise I will have the opportunity to continue this spam

Re: Linux/Chalubo

PostPosted:Sat Jun 08, 2019 8:39 am
by r3dbU7z
Image

Disclaimer: This archive is provided for information purposes only. Don't be :devil: !
Archive on VT -> 44b01c348a0ea22969243b1036841f5d149abaf071661dea8e64e16470718ffa

More info:
New China ELF malware DDoS'er "Linux/DDoSMan", bot & its C2 tool

Thank you @unixfreaxjp for report!

I also sent this archive to SophosLabs (the link to the report from Timothy Easton can find in the first post^) But despite the fact that I had to leave my phone number :-/ for this, the parcel probably did not reach the addressee. I'm sorry it happened, I tried. :crying: