Sophos researchers have discovered the new DDoS botnet Chalubo, which targets poorly secured SSH servers. This is to gain remote access to Linux-based systems.

The botnet uses malware such as Xor.DDoS and Mirai. The network was discovered at the beginning of September. Security researchers used a honeypot server designed to appear vulnerable to DDoS attacks and other threats to get information about the botnet. Chalubo includes a downloader, a Lua command script and the bot itself, which was optimized for hardware using Intel x86 processors.

As with Windows malware, its creators have used anti-analysis techniques, such as the ChaCha stream cipher to encrypt the Lua script and the bot itself. In recent weeks, the makers have also used the Elknot dropper to release the entire malware family. According to the researchers, the bots can now run on various CPU architectures, which means that the botnet may become more pervasive in the near future.

Cybercriminals have focused more often on Linux systems, but according to the researchers, the use of the ChaCha stream and the advanced approach to releasing the bots per layer is unusual. Furthermore, the makers may try to steal the best practices of their predecessors. Certain features that allow the Xor.DDoS family to achieve persistence were copied in the Chalubo code.


A DDoS attack can be used to shut down a website, as well as other components of enterprise IT. Since Chalubo was found through a honeypot, there is a good chance that the makers will focus on real targets. IBM experts recommend that users use a tiered security policy approach to protect against DDoS attacks. This allows security teams to identify DDoS activities on a specific network, application or session.

Organizations should also update their applications and operating systems with the latest updates and patches, and ensure that antivirus software and other files are up to date. Finally, the environment should be monitored for compromise indicators (IoCs) that are included in the IBM X-Force Exchange threat advisory.

This news article was automatically translated from Dutch to give a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.