Chalubo: RAT iyo mumaawa makumi manomwe nemaviri chete yakasiya anopfuura mazana matanhatu ezviuru marouters asina basa. 

Chalubo, iri kure yekuwana trojan (RAT)

Mazuva mashoma apfuura, Black Lotus Labs yakazivisa, kuburikidza nemushumo wenguva pfupi yapfuura, ruzivo nezve a kusagadzikana kwakasiya anopfuura 600,000 routers asingabatsiri kumahofisi madiki nedzimba.

Uye ndizvo izvozvo munguva ye72 maawa (pakati paGumiguru 25 ne27, 2023) anopfuura 600,000 routers akaremara neremote access trojan (RAT) inozivikanwa se. "Chalubo". Chiitiko ichi, chakaitika, chakakonzera kusashanda zvachose kwemidziyo ine hutachiona uye kudiwa kwekutsiva kwavo kwemuviri.

Nezve chiitiko

Black Lotus Labs inoshuma mukuburitswa kwayo kuti kurwiswa kwakaitwa pachishandiswa Chalubo malware, inozivikanwa kubvira 2018, inoronga pakati pekutonga kwebhotnet uye inoshandiswa paLinux zvishandiso zvichibva pa 86- uye 86-bit ARM, x64, x32_64, MIPS, MIPSEL uye PowerPC zvivakwa.

Chalubo malware kunosanganisira matanho matatu ekushandisa:

  1. Kutanga Bash Script:
    • Pakushandiswa kwekusagadzikana kana kushandiswa kwezvitupa zvakakanganisika, bash script inoitwa pane yakakanganiswa mudziyo.
    • Iyi script inotarisa kuvepo kweiyo yakaipa faira rekuita /usr/bin/usb2rci. Kana iyo faira isipo, script inodzima mafirita epaketi nawo iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT;.
  2. Get_scrpc Script Evaluation:
    • Iyo script get_scrpc inoongorora iyo MD5 checksum yefaira usb2rci.
    • Kana iyo checksum isingaenderane neyakafanotaurwa kukosha, iyo script inotakura uye inomhanyisa yechipiri script, get_fwuueicj.
  3. Kuita get_fwuueicj Script:
    • Ichi chinyorwa chinotarisa kuvepo kwefaira /tmp/.adiisu. Kana isipo, gadzira.
    • Inobva yatakura iyo huru malware inogoneka faira, yakarongedzwa iyo MIPS R3000 CPU, mune dhairekitori. /tmp rine zita crrs wobva watanga.

Ongororo yedu yakaratidza "Chalubo," Remote Access Trojan (RAT), semubhadharo wekutanga une chekuita nechiitiko. Iyi Trojan, yakatanga kuzivikanwa muna 2018, yakashandisa nzira dzakangwara kuvanza basa rayo; akabvisa mafaera ese kubva kudhisiki kuti amhanye mundangariro, akafunga zita risingaite rekuti ratovepo pane mudziyo, uye encrypted kutaurirana kwese nekuraira uye kutonga (C2) server.

Kana ari Chalubo maitiro, suye inotaura kuti inoita:

  • Kuunganidza uye kutumira ruzivo: Iyo Chalubo inogoneka inounganidza ruzivo rwevaenzi senge MAC kero, mudziyo ID, software shanduro, uye yemuno IP kero uye inotumira kune yekunze server.
  • Dhawunirodha uye mhanya iyo Main chikamu: Chalubo inotarisa kuwanikwa kwemaseva ekudzora uye kudhawunirodha chikamu chikuru cheiyo malware, iyo yakadhindwa uchishandisa ChaCha20 stream cipher.
  • Kumhanya lua scripts: Iyo yakakosha chikamu chinogona kudhawunirodha uye kuita zvekupokana zvinyorwa zveLua kubva kune control server, ichitarisa zviito zvemangwana zvechishandiso, sekutora chikamu mukurwiswa kweDDoS.

Saizvozvo hapana ruzivo rwechokwadi nezvekuti zvigadziriso zvakakanganiswa sei kuisa iyo malware uye nevaongorori nezvazvo Ivo vanofungidzira kuti kuwana zvishandiso kwaigona kunge kwakawanikwa nekuda kwekusavimbika magwaro zvinopihwa nemutengesi, kushandiswa kwepassword yegeneric kupinda muhutungamiriri interface, kana kushandiswa kwekusaziva kusaziva. Sezvo vanorwisa vane mukana weiyo botnet's control maseva vangangotora mukana wekugona kwaChalubo kuita zvinyorwa zveLua, kunyora pasi firmware yechishandiso nekuimisa.

Hutano hwehutachiona hunoenderana neC2 node

Kunze kwaizvozvo, Black Lotus Labs inokurukura kuti kurwiswa uku kwakave nemhedzisiro yakakura sei, kusanganisira kudiwa kutsiva hardware midziyo, kunyanya kumaruwa uye underserved nzvimbo, sezvo ongororo network pashure chiitiko chakaratidza kuti 179 zviuru ActionTec mano (T3200 uye T3260) uye 480 zviuru Sagemcom mano (F5380) akatsiviwa nemichina kubva mumwe mugadziri.

Chiitiko ichi hachizivikanwi chete nehukuru hwekurwiswa, asiwo nekuti, zvisinei nekuwanda kweChalubo malware (ine anopfuura mazana matatu nemakumi matatu ezviuru akarekodhwa IPs achipinda maseva ekudzora kubva kutanga kwa330,000), zviito zvakashata zvakaganhurirwa kune mupi mumwe chete, zvichikurudzira. kurwisa chaiko.

pakupedzisira kana uri kuda kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo mu inotevera chinongedzo.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako