I-Chalubo: iRAT ethe kwiiyure nje ezingama-72 ishiye ngaphezulu kwe-600,000 imizila engenamsebenzi. 

Darkcrizt

Imizuzu ye4

Chalubo, itrojan yokufikelela kude (RAT)

Zimbalwa iintsuku ezidlulileyo, I-Black Lotus Labs yabhengezwa, ngengxelo yakutshanje, iinkcukacha malunga a ukuba sesichengeni okushiye ngaphezulu kwe-600,000 imizila engenamsebenzi kwiiofisi ezincinci kunye nezasekhaya.

Kwaye oko ngexesha leeyure ezingama-72 (phakathi ko-Oktobha 25 kunye no-27, 2023) ngaphezu kwe-600,000 routers zaye zacinywa yi-trojan yokufikelela kude (RAT) eyaziwa ngokuba "Chalubo". Esi siganeko, esenzekayo, sibangele ukungasebenzi ngokusisigxina kwezixhobo ezosulelekileyo kunye nesidingo sokutshintshwa kwazo ngokwasemzimbeni.

Malunga nesiganeko

IBlack Lotus Labs inika ingxelo kupapasho lwayo ukuba uhlaselo lwenziwe kusetyenziswa iChalubo malware, eyaziwa ukusukela ngo-2018, icwangcisa ulawulo oluphakathi lwebhotnet kwaye isetyenziswa kwizixhobo zeLinux ngokusekelwe kwi-86- kunye ne-86-bit ARM, x64, x32_64, MIPS, MIPSEL kunye ne-PowerPC izakhiwo.

Chalubo malware ibandakanya amanqanaba amathathu okuphunyezwa:

  1. Ukuqala iBash Script:
    • Ekuxhatshazweni kobuthathaka okanye ukusetyenziswa kweziqinisekiso ezithotyiweyo, iskripthi se-bash siyenziwa kwisixhobo esonakalisiwe.
    • Le script ijonga ubukho befayile ephunyeziweyo enobungozi /usr/bin/usb2rci. Ukuba ifayile ayikho, umbhalo uvala izihluzi zepakethi nge iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT;.
  2. Fumana_scrpc uVavanyo lweSikripthi:
    • Iskripthi get_scrpc ivavanya i-MD5 checksum yefayile usb2rci.
    • Ukuba itshekhim ayihambelani nexabiso elichazwe kwangaphambili, iskripthi silayisha kwaye siqhuba iskripthi sesibini, get_fwuueicj.
  3. Ukwenza i-get_fwuueicj Ushicilelo:
    • Le script ijonga ubukho befayile /tmp/.adiisu. Ukuba ayikho, yidale.
    • Emva koko ilayisha eyona fayile ilungileyo ephunyezwayo, edityaniselwe iMIPS R3000 CPU, kulawulo. /tmp enegama crrs kwaye iqala.

Uhlalutyo lwethu luchonge "i-Chalubo," i-Remote Access Trojan (RAT), njengomthwalo oyintloko ojongene nomsitho. Le Trojan, echongiweyo okokuqala kwi-2018, yasebenzisa ubuchule obukrelekrele ukufihla umsebenzi wayo; isuse zonke iifayile kwidiski ukubaleka kwinkumbulo, kucingelwa igama lenkqubo engalindelekanga esele ikhona kwisixhobo, kwaye iguqulelwe ngokuntsonkothileyo lonke unxibelelwano ngomyalelo nolawulo (C2) umncedisi.

Ngokuphathelele Ukuziphatha kweChalubo, skwaye ichaza ukuba yenza oku:

  • Ukuqokelelwa kunye nokuthunyelwa kolwazi: I-Chalubo ephunyeziweyo iqokelela ulwazi lwenginginya njengedilesi ye-MAC, i-ID yesixhobo, inguqulelo yesoftware, kunye needilesi ze-IP zasekuhlaleni kwaye iyithumele kumncedisi wangaphandle.
  • Khuphela kwaye usebenzise icandelo eliPhambili: I-Chalubo ihlola ukufumaneka kweeseva zokulawula kwaye ikhuphe icandelo eliphambili le-malware, elichithwa kusetyenziswa i-ChaCha20 stream cipher.
  • Ukuqhuba izikripthi ze-lua: Icandelo eliphambili linokukhuphela kwaye lisebenzise izikripthi ze-Lua ngokungenasizathu ukusuka kumncedisi wokulawula, ukugqiba izenzo zexesha elizayo zesixhobo, ezifana nokuthatha inxaxheba kuhlaselo lwe-DDoS.

Njenge akukho lwazi olubambekayo malunga nendlela echanekileyo ngayo izixhobo eziye zaphazamiseka ukufaka i-malware kunye nabaphandi malunga nayo Bacinga ukuba ukufikelela kwizixhobo bekunokufunyanwa ngenxa yeziqinisekiso ezingathembekanga kubonelelwe ngumthengisi, ukusetyenziswa kwegama lokugqitha eliqhelekileyo ukufaka ujongano lolawulo, okanye ukusetyenziswa kobuthathaka obungaziwayo. Kuba abahlaseli abanokufikelela kwiiseva zolawulo lwe-botnet kusenokwenzeka ukuba bathathe ithuba lokukwazi kukaChalubo ukwenza izikripthi zeLua, bebhala ngaphezulu i-firmware yesixhobo kwaye bayikhubaze.

Inkqubo yokusuleleka ngengqiqo kunye ne-C2 nodes ezihambelanayo

Ngaphandle koko, I-Black Lotus Labs ixoxa ngendlela olu hlaselo lube nemiphumo ebalulekileyo ngayo, kubandakanywa nesidingo sokutshintsha izixhobo ze-hardware, ngokukodwa kwiindawo zasemaphandleni kunye neendawo ezingagcinwanga, njengoko uhlalutyo lwenethiwekhi emva kokuba isiganeko sibonise ukuba izixhobo ze-ActionTec eziliwaka le-179 (T3200 kunye ne-T3260) kunye ne-480 yewaka le-Sagemcom (F5380) zatshintshwa zizixhobo ezivela komnye umenzi.

Esi siganeko asiphawuleki kuphela kubukhulu bohlaselo, kodwa nangenxa yokuba, ngaphandle kokuxhaphaka kwe-malware ye-Chalubo (engaphezulu kwe-330,000 yee-IP ezirekhodiweyo ezifikelela kwiiseva zolawulo ukususela ekuqaleni kuka-2024), izenzo ezinobungozi zazilinganiselwe kumnikezeli omnye, ecebisa ukuba uhlaselo oluthile kakhulu.

ekugqibeleni ukuba ukhona unomdla wokwazi ngakumbi ngayo, ungajonga iinkcukacha kwi ukulandela ikhonkco.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.