May 31, 2024 at 04:24PM

■■■■□ Researchers from Lumen’s Black Lotus Labs report a large-scale incident in which the malicious botnet Pumpkin Eclipse took down an entire provider between October 25 and October 27, 2023, in an attack on more than 600,000 routers.

Despite its broad impact, the attack targeted a specific Internet Service Provider (ISP) in the United States and three router models it used: ActionTec T3200s, ActionTec T3260s and Sagemcom F5380.

Moreover, to restore operation, the owners simply had to replace the devices.

Although Black Lotus did not name the victim in the report, Windstream experienced a global outage during the same period, as also evidenced by posts on Reddit and DSLReports .

The company itself declined to comment.

Researchers were unable to find the vulnerability used for initial access, so the attackers either used 0-day or weak credentials in combination with an open administrative interface.

The first stage payload is a bash script called get_scrpc, which is responsible for delivering a second script called get_strtriiush, which implements the main Chalubo payload (“mips.elf”).

Chalubo runs from memory and maintains a 30-minute interval, avoiding detection and sandboxes.

Uses ChaCha20 encryption when interacting with C2 and protecting the communication channel, while simultaneously erasing all files from the disk and changing the process name after startup.

The attacker can send commands to the bot through Lua scripts, which filter data, load additional modules, or install new payloads on the infected device.

Chalubo implements a persistence mechanism, so rebooting an infected router does not disrupt the bot’s operation.

The malware also supports DDoS functionality, which indicates its possible operational targets for Pumpkin Eclipse.

However, Black Lotus Labs did not find any DDoS attacks from the botnet.

Black Lotus Labs telemetry detected 45 Chalubo malware panels interacting with more than 650,000 unique IPs between October 3 and November 3, 2023, most of them in the United States.

Researchers believe that an attacker could have acquired access to the Chalubo panel for the specific purpose of deploying destructive payloads on routers within a specific ASN.

Moreover, for the observed attack, only one of the panels was used, focused on a specific American Internet provider.

Unfortunately, the researchers were unable to find the payload used to block the routers, so they were unable to determine how it was done or for what purpose, nor were they able to find any connections between the malware infrastructure and known APTs.