The Black Lotus Labs group has published the results of an analysis of malware involved in the incident, which resulted in more than 600 thousand home routers of one of the major American providers being disabled within 72 hours in October last year (the provider is not named in the report, but the events mentioned coincide with the incident at Windstream). As a result of the malicious attack, which received the code name Pumpkin Eclipse, the firmware of the devices affected by the malware was damaged and the provider was forced to replace the equipment of almost half of its customers . Network scanning showed that after the incident, 179 thousand ActionTec devices (T3200s and T3260s) and 480 thousand Sagemcom devices (F5380).
The attack was carried out using the typical Chalubo malware, known since 2018, which organizes centralized botnet management and is used for Linux devices based on 32-and 64-bit ARM, x86, x86_64, MIPS, MIPSEL and PowerPC architectures. How exactly the devices were compromised to install malware is not known. Researchers only assume that access to the devices could have been obtained as a result of setting unreliable credentials by the provider, using a typical password to log in to the administration interface, or exploiting unknown vulnerabilities.
The Chalubo malware involves three stages of implementation. After exploiting the vulnerability or using compromised credentials, the device runs a bash script that checks for the presence of the malicious executable file /usr/bin/usb2rci in the system and, if it is not present, disables packet filter locks by executing "iptables-P INPUT ACCEPT;iptables-P OUTPUT ACCEPT;", and then loads from the malicious server. the management server (C&C) script get_scrpc.
The get_scrpc script evaluates the md5 checksum of the usb2rci file and, if it does not match a certain value, loads a second get_fwuueicj script, which checks for the presence of the /tmp/.adiisu file and, if it does not, creates it and loads the main malware executable file collected for the MIPS R3000 CPU into the /tmp directory under the name "crrs". then it starts it.
The running file collects information about the host, such as the MAC address, device ID, software version, and local IP addresses, and sends it to an external host. After that, it checks the availability of control servers and downloads the main component of malware, which is decrypted using the ChaCha20 stream cipher. The main component can load and run arbitrary Lua scripts from the management server that determine the logic of further actions, for example, participation in DDoS attacks.
It is assumed that attackers with access to the botnet management servers used the function available in Chalubo to download and execute scripts in the Lua language to overwrite the firmware of devices and disable equipment. The incident is notable for the fact that despite the prevalence of the Chalubo malware (at the beginning of 2024, more than 330 thousand IP addresses were recorded accessing well-known botnet management servers), the described malicious actions were limited to only one provider, which makes it possible to judge that the attack was targeted.
The attack was carried out using the typical Chalubo malware, known since 2018, which organizes centralized botnet management and is used for Linux devices based on 32-and 64-bit ARM, x86, x86_64, MIPS, MIPSEL and PowerPC architectures. How exactly the devices were compromised to install malware is not known. Researchers only assume that access to the devices could have been obtained as a result of setting unreliable credentials by the provider, using a typical password to log in to the administration interface, or exploiting unknown vulnerabilities.
The Chalubo malware involves three stages of implementation. After exploiting the vulnerability or using compromised credentials, the device runs a bash script that checks for the presence of the malicious executable file /usr/bin/usb2rci in the system and, if it is not present, disables packet filter locks by executing "iptables-P INPUT ACCEPT;iptables-P OUTPUT ACCEPT;", and then loads from the malicious server. the management server (C&C) script get_scrpc.
The get_scrpc script evaluates the md5 checksum of the usb2rci file and, if it does not match a certain value, loads a second get_fwuueicj script, which checks for the presence of the /tmp/.adiisu file and, if it does not, creates it and loads the main malware executable file collected for the MIPS R3000 CPU into the /tmp directory under the name "crrs". then it starts it.
The running file collects information about the host, such as the MAC address, device ID, software version, and local IP addresses, and sends it to an external host. After that, it checks the availability of control servers and downloads the main component of malware, which is decrypted using the ChaCha20 stream cipher. The main component can load and run arbitrary Lua scripts from the management server that determine the logic of further actions, for example, participation in DDoS attacks.
It is assumed that attackers with access to the botnet management servers used the function available in Chalubo to download and execute scripts in the Lua language to overwrite the firmware of devices and disable equipment. The incident is notable for the fact that despite the prevalence of the Chalubo malware (at the beginning of 2024, more than 330 thousand IP addresses were recorded accessing well-known botnet management servers), the described malicious actions were limited to only one provider, which makes it possible to judge that the attack was targeted.
