Firmware Overwrite: The New Trend in Router Fashion

The Chalubo RAT malware campaign targeted specific models of Actiontec and Sagemcom routers, primarily affecting Windstream's network. The malware used brute-force attacks to gain access, executed payloads in memory to avoid detection, and communicated with C2 servers using encrypted channels. The attack led to a significant outage, requiring the replacement of over 600,000 routers, highlighting the need for robust security measures and regular updates to prevent such incidents.

📌Windstream: The primary ISP affected, with over 600,000 routers rendered inoperable between October 25 and October 27, 2023.

📌Affected Models: Actiontec T3200, T3260, and Sagemcom F5380.

📌Impact: Approximately 49% of the ISP's modems were taken offline, requiring hardware replacements.

📌Botnet Activity: From September to November 2023, Chalubo botnet panels interacted with up to 117,000 unique IP addresses over a 30-day period.

📌Geographic Distribution: Most infections were in the US, Brazil, and China.

📌Operational Silos: 95% of bots communicated with only one control panel, indicating distinct operational silos.

📌Targeted Models: End-of-life business-grade routers.

📌Actiontec T3200 and T3260 are VDSL2 wireless AC gateway routers approved by Windstream.

📌Sagemcom F5380 is a WiFi6 (802.11ax) router.

📌DrayTek Vigor Models 2960 and 3900

📌First Spotted: August 2018 by Sophos Labs.

📌Primary Functions: DDoS attacks, execution of Lua scripts, and evasion techniques using ChaCha20 encryption.

Technical Details:

📌Initial Infection: Uses brute-force attacks on SSH servers with weak credentials (e.g., root:admin).

📌Payload Delivery:

📌First Stage: A bash script ("get_scrpc") fetches a second script ("get_strtriiush") which retrieves and executes the primary bot payload ("Chalubo" or "mips.elf").

📌Execution: The malware runs in memory, wipes files from the disk, and changes the process name to avoid detection.

📌Communication:

📌C2 Servers: Cycles through hardcoded C2s, downloads the next stage, and decrypts it using ChaCha20.

📌Persistence: The newer version does not maintain persistence on infected devices.

📌Port 8816: HiatusRAT checks for existing processes on port 8816, kills any existing service, and opens a listener on this port.

📌Information Collection: Collects host-based information and sends it to the C2 server to track the infection status and log information about the compromised host.

📌Initial Access: Through exploiting vulnerabilities in router firmware or using weak credentials.

📌Persistence: Uses a bash script to download and execute HiatusRAT and the packet-capture binary

📌Prebuilt Functions:

📌config: Loads new configuration values from the C2 node.

📌shell: Spawns a remote shell on the infected host.

📌file: Allows reading, deleting, or uploading files to the C2.

📌executor: Downloads and executes files from the C2.

📌script: Executes scripts supplied by the C2.

📌tcp_forward: Forwards TCP data from a specified port to another IP address and port.

📌socks5: Sets up a SOCKS5 proxy on the compromised router.

📌quit: Ceases execution of the malware.

📌Packet Capture: A variant of tcpdump is deployed to capture and monitor router traffic on ports associated with email and file-transfer communications

📌Black Lotus Labs, the threat research team at Lumen Technologies (formerly CenturyLink), has recently uncovered two major malware campaigns targeting routers and networking devices from different manufacturers. These discoveries highlight the increasing threats faced by internet infrastructure and the need for better security practices.

📌In March 2023, Black Lotus Labs reported on a complex campaign called "Hiatus" that had been targeting business-grade routers, primarily DrayTek Vigor models 2960 and 3900, since June 2022. 

📌The threat actors exploited end-of-life DrayTek routers to establish long-term persistence without detection.

📌Around 4,100 vulnerable DrayTek models were exposed on the internet, with Hiatus compromising approximately 100 of them across Latin America, Europe, and North America.

📌Upon infection, the malware intercepts data transiting the infected router and deploys a Remote Access Trojan (RAT) called "HiatusRAT" that can proxy malicious traffic to additional networks.

📌Black Lotus Labs has null-routed the Hiatus command-and-control (C2) servers across Lumen's global backbone and added the indicators of compromise (IoCs) to their Rapid Threat Defense system to block threats before reaching customer networks.

📌In late October 2023, Black Lotus Labs investigated a massive outage affecting specific ActionTec (T3200s and T3260s) and Sagemcom (F5380) gateway models within a single internet service provider's network.

📌Over 600,000 devices displayed a static red light, indicating a likely firmware corruption issue.

📌The attack was confined to a specific Autonomous System Number (ASN), impacting around 49% of exposed devices in that network.

📌Black Lotus Labs discovered a multi-stage infection mechanism that installed the Chalubo RAT, a botnet targeting SOHO gateways and IoT devices.

📌Black Lotus Labs has added the IoCs from this campaign and the Chalubo malware to their threat intelligence feed, fueling Lumen's Connected Security portfolio.