The Pumpkin Eclipse - Chalubo Malware

June 4, 2024, 4:31 p.m.

Description

Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.

External References

https://blog.lumen.com/the-pumpkin-eclipse/
https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt
https://otx.alienvault.com/pulse/665f39b83296d4300d2fbc27
Tags
ddos
script
2024-06-04
meta
write
download
form
soho
path
button
span
link
template
header dropdown
iconbutton
product
solutions
footer
code
enterprise
reload
close
chalubo
body
find
star
copy
open
main
contact
october
chalubo malware
actiontec
lumen
lua script
lotus labs
november
black
next

Date

  • Created: June 4, 2024, 3:58 p.m.
  • Published: June 4, 2024, 3:58 p.m.
  • Modified: June 4, 2024, 4:31 p.m.

Indicators

  • f9db9632ffd7e3bd5b700025fa9278420de0778029fe2eedb6ea7b3d7b999ef6
  • f5894f0cc7d9da2f188b740bb0596206038d9dba430c7d2a145d7454d9f1b4db
  • f37eaf27fe12b105c6661d303537787959eeb4bf52c6937d9165fd6b569faf30
  • ed9511c16229f4bb41f461e90fff7964e79f2c2d27e7de2b107e4d003e9e0def
  • e5030083c101058f52394820420a372bf93bcac2d802902d4d4c91470c96b608
  • d9322af52b941e76bec3d2596a1c1be47dffc4fb161656da2c7c45b3d492cfd8
  • d68f2ed30f344122db9f9e2729787450e1e8653e98bd61026fb4d75bf89de664
  • d6778d5ad096516b881bbf2aca2d790b5217dfb83bb256e3f9d710056c9b512a
  • c5317722effa07b56f9e81ef096b1711048eac6629c0ec72d8e8c72c6aae8f41
  • d0643c777b0b24ca747f7dc79d3bdfbc04d3095ded760e6a54fa62bfa6945df3
  • bdef8e089ffa00794f40f14ad3cdb8f1629241a4ac313bef8fe3d38e08207e4c
  • b5fc0c265eb192b2a2d778e66d6f076e876eeacf57c3927e406b4e1b72152038
  • b2e2193e49ee1240be30f5040dbb5e2c973cdfb02c3ea88ef4ffeda884de28c2
  • a9cea205140babed24faea1b27f62b2f36464b8562223d96ecb617258a2fd284
  • 9b929bcc182c39540767a9b8237a8436c82997c68d4d2ba710241387c39c27f5
  • 967289406b0da030a93cefaa2644b109260565f5f767b95ce2a5d96d49c57bf2
  • 8f4b61975539dbfe903f448636a48168351018801f2581a63d97179c37cad979
  • 8639bbb3ffe5fa51334c6ab4d45ae1647a29a97f061a9456991333ab166b52fd
  • 847e7f8209803d786660c5ba6d19ce59f76fe26e3e33e50cbe6dd663d40ad569
  • 7a81bbb1f7055cd3f30db8bb2a104b969914ccd520cf85c24b25ba5b0c720206
  • 7a6cdae75006d44d9b61093e5e65ae45c0d153bcc87c6a69974cbdfd6fc3b58b
  • 6be5b4bc461f1ba931bfe773df66bf5f8052626adbdf2b1156a06d0da2d8d3d1
  • 619564061e62a6352f0ce1a06d2883d46eb69df16322b30e8a2a9c65e2d32f5f
  • 5fc8534d490312823a49e2a13afc8a7b6b026280c79db704465fddd8a1fdc376
  • 5b9405418b654c9418e514ae3420c72af58d418adefca43644bf2bf14d89cc5a
  • 5b7874b18e8365e07624946a33518988aea4c72478a285a36047b4ba554a7576
  • 59437e986acd685ad3ce48bf010efff22aa866c0fa066b0e64e510ecb026dd1a
  • 5621cdb8d07900a333d022a9696c1a6f7e45d6cfc713558c462a3ace7c4b426f
  • 51c421f69ad5d7a8de69efa798d1784ce7b41886dece435b879a5815a7f7a2c2
  • 49c04e56dfb17ac16acddfcf9eff7ae82d70294a8ec70b6365ab43a07441badd
  • 38c639a245e1dd04786881fae1060fbd72d3ed419b2f0d38d6082dc9d67876c3
  • 2ec65d77b5146dc898acf5b14df33f49306d539f6d84784e135d32d1807b37ce
  • 2a65fdd8c44a6b7191c09702d9f747471564346c465a42b9abbb4dfa1bc5f7fb
  • 2653886ab93ab5d7c779b796f87199e033ce012970d565d91cf9063d6149a1f8
  • 117bd27a209d6350b10f5c8f8cf841755c253276460be8c7681f5357e07d2e0c
  • 0f9cfe8eefbb983daa9c0e4bfb14a29a534b1c6d00fc16fe8a762d109ad0e037
  • 0c7c6926e854aac4dc4821be07f826157b576d0a217d74d5675d7b32eb78b50e
  • 00550d5c2ed14a445ae13cff8eff32ba7a7dd502d145481bcd18161cf1df540d
  • a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12
  • 82c569b93da5c18ed649ebd4c2c79437db4611a6a1373e805a3cb001c64130b7
  • 91.211.88.225
  • 45.116.160.62
  • 45.116.160.182
  • 45.116.160.154
  • 45.116.160.115
  • 45.116.160.105
  • 45.116.160.100
  • 38.54.27.204
  • 216.118.241.206
  • 216.118.241.205
  • 216.118.241.204
  • 216.118.241.203
  • 216.118.241.202
  • 2.59.223.253
  • 2.59.223.226
  • 2.59.223.218
  • 2.59.223.213
  • 2.59.223.144
  • 2.59.222.99
  • 2.59.222.97
  • 2.59.222.35
  • 2.59.222.146
  • 2.59.222.126
  • 2.59.222.125
  • 2.59.222.124
  • 2.59.222.102
  • 194.36.190.99
  • 185.189.241.246
  • 185.189.241.180
  • 185.189.240.21
  • 180.178.46.245
  • 180.178.46.244
  • 180.178.46.242
  • 141.193.159.11
  • 141.193.159.10
  • 139.5.202.19
  • 139.5.202.18
  • 116.213.39.6
  • 116.213.39.5
  • 116.213.39.4
  • 116.213.39.3
  • 116.213.39.2
  • 114.29.255.77
  • 114.29.255.123
  • 112.121.165.78
  • 112.121.165.76
  • 112.121.165.75
  • 107.148.88.123
  • 107.148.0.182
  • 104.233.210.119
  • 104.233.210.118
  • 104.233.167.82
  • 104.233.167.81
  • 104.233.167.63
  • 104.233.167.62
  • 104.233.167.103
  • 104.233.166.194
  • 104.233.166.129
  • 103.84.84.251
  • 103.248.22.5
  • 103.248.22.16
  • 103.244.2.217
  • 103.244.2.171
  • 103.244.2.170
  • 103.140.187.149
  • 103.117.147.67
  • 103.117.146.222
  • 103.117.146.220
  • 103.117.146.219
  • 103.117.146.218
  • 103.117.145.110
  • 103.117.145.109
  • 103.117.145.108
  • 103.117.145.107
  • 103.117.145.106
  • 91.211.88.6
  • 34.19.73.9
  • 2.59.222.3
  • 185.189.240.13
  • 180.178.46.246
  • 180.178.46.243
  • 139.5.202.106
  • 112.121.165.77
  • 112.121.165.74
  • 103.117.147.66
  • 103.84.84.250
  • 103.244.2.218
  • 36.75.75.75
  • 138.112.25.25
  • 123.181.24.36
  • 1.13.16.45
  • 71.162.181.51
  • http://104.233.210.119:51248/get_scrpc
  • http://104.233.210.119:51248/get_fwuueicj.
  • www.v5002.cn
  • https://www.v5002.cn
  • https://mh.55dmh.com
  • https://m.isanyin.com
  • https://m.aiguoba.com
  • https://dh.id3cqcmgjcb.top
  • https://cu6s.com
  • http://xmsecu100.net/23652xxxxx000008skcai/res.dat
  • http://xmsecu.net/00030695mcksiqq/res.dat\t
  • http://xmsecu.net/00030695mcksiqq/res.dat
  • http://xmsecu.io/c638020vkklkjjiu/res.dat
  • http://xmsecu.io/00030678bbgstrjs/res.dat
  • http://xmsecu.io/00030674uucyttsikk/res.dat
  • http://secu100.com/23652xxxxx000008skcai/res.dat
  • http://sainnguatc.com:8080/ASUHALUMNABTC/res.dat
  • http://sainnguatc.com:8080/ASUHALUMNABTC
  • http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8/mips
  • http://nihiosuxnmo.com:8080/SASBCKXOWYALLCZXF
  • http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8
  • http://ammhdfgygb.com/dldsc522dsdasd/res.dat
  • http://91.211.88.6:8080/ASUHALUMNABTC
  • http://91.211.88.225:8080/SASBCKXOWYALLCZXF
  • http://2.59.222.97/dldsc522dsdasd/res.dat
  • http://194.36.190.99:38291/as/crtarm3
  • http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8/res.dat
  • http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8
  • mh.55dmh.com
  • m.isanyin.com
  • m.aiguoba.com
  • lighten.medyamol.com
  • dh.id3cqcmgjcb.top
  • axon-stall.riddlecamera.net
  • xmsecu100.net
  • xmsecu.net
  • xmsecu.io
  • secu100.com
  • sainnguatc.com
  • nihiosuxnmo.com
  • cu6s.com
  • coreconf.net
  • ammhdfgygb.com
  • 2fgithub.com
Download all indicators here!

Attack Patterns

  • Chalubo