{ "name": "The Pumpkin Eclipse - Chalubo Malware", "slug": "the-pumpkin-eclipse-chalubo-malware", "description": "Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.", "published": "2024-06-04T13:58:48+00:00", "created_at": "2024-06-04T13:58:48+00:00", "modified_at": "2024-06-04T14:31:19+00:00", "created_at_opencti": "2024-06-04T13:58:48+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-04", "actiontec", "black", "body", "button", "chalubo", "chalubo malware", "close", "code", "contact", "copy", "ddos", "download", "enterprise", "find", "footer", "form", "header dropdown", "iconbutton", "link", "lotus labs", "lua script", "lumen", "main", "meta", "next", "november", "october", "open", "path", "product", "reload", "script", "soho", "solutions", "span", "star", "template", "write" ], "related_entities": { "observables": [ { "id": "", "name": "91.211.88.225" }, { "id": "", "name": "45.116.160.62" }, { "id": "", "name": "45.116.160.182" }, { "id": "", "name": "45.116.160.154" }, { "id": "", "name": "45.116.160.115" }, { "id": "", "name": "45.116.160.105" }, { "id": "", "name": "45.116.160.100" }, { "id": "", "name": "38.54.27.204" }, { "id": "", "name": "216.118.241.206" }, { "id": "", "name": "216.118.241.205" }, { "id": "", "name": "216.118.241.204" }, { "id": "", "name": "216.118.241.203" }, { "id": "", "name": "216.118.241.202" }, { "id": "", "name": "2.59.223.253" }, { "id": "", "name": "2.59.223.226" }, { "id": "", "name": "2.59.223.218" }, { "id": "", "name": "2.59.223.213" }, { "id": "", "name": "2.59.223.144" }, { "id": "", "name": "2.59.222.99" }, { "id": "", "name": "2.59.222.97" }, { "id": "", "name": "2.59.222.35" }, { "id": "", "name": "2.59.222.146" }, { "id": "", "name": "2.59.222.126" }, { "id": "", "name": "2.59.222.125" }, { "id": "", "name": "2.59.222.124" }, { "id": "", "name": "2.59.222.102" }, { "id": "", "name": "194.36.190.99" }, { "id": "", "name": "185.189.241.246" }, { "id": "", "name": "185.189.241.180" }, { "id": "", "name": "185.189.240.21" }, { "id": "", "name": "180.178.46.245" }, { "id": "", "name": "180.178.46.244" }, { "id": "", "name": "180.178.46.242" }, { "id": "", "name": "141.193.159.11" }, { "id": "", "name": "141.193.159.10" }, { "id": "", "name": "139.5.202.19" }, { "id": "", "name": "139.5.202.18" }, { "id": "", "name": "116.213.39.6" }, { "id": "", "name": "116.213.39.5" }, { "id": "", "name": "116.213.39.4" }, { "id": "", "name": "116.213.39.3" }, { "id": "", "name": "116.213.39.2" }, { "id": "", "name": "114.29.255.77" }, { "id": "", "name": "114.29.255.123" }, { "id": "", "name": "112.121.165.78" }, { "id": "", "name": "112.121.165.76" }, { "id": "", "name": "112.121.165.75" }, { "id": "", "name": "107.148.88.123" }, { "id": "", "name": "107.148.0.182" }, { "id": "", "name": "104.233.210.119" }, { "id": "", "name": "104.233.210.118" }, { "id": "", "name": "104.233.167.82" }, { "id": "", "name": "104.233.167.81" }, { "id": "", "name": "104.233.167.63" }, { "id": "", "name": "104.233.167.62" }, { "id": "", "name": "104.233.167.103" }, { "id": "", "name": "104.233.166.194" }, { "id": "", "name": "104.233.166.129" }, { "id": "", "name": "103.84.84.251" }, { "id": "", "name": "103.248.22.5" }, { "id": "", "name": "103.248.22.16" }, { "id": "", "name": "103.244.2.217" }, { "id": "", "name": "103.244.2.171" }, { "id": "", "name": "103.244.2.170" }, { "id": "", "name": "103.140.187.149" }, { "id": "", "name": "103.117.147.67" }, { "id": "", "name": "103.117.146.222" }, { "id": "", "name": "103.117.146.220" }, { "id": "", "name": "103.117.146.219" }, { "id": "", "name": "103.117.146.218" }, { "id": "", "name": "103.117.145.110" }, { "id": "", "name": "103.117.145.109" }, { "id": "", "name": "103.117.145.108" }, { "id": "", "name": "103.117.145.107" }, { "id": "", "name": "103.117.145.106" }, { "id": "", "name": "91.211.88.6" }, { "id": "", "name": "34.19.73.9" }, { "id": "", "name": "2.59.222.3" }, { "id": "", "name": "185.189.240.13" }, { "id": "", "name": "180.178.46.246" }, { "id": "", "name": "180.178.46.243" }, { "id": "", "name": "139.5.202.106" }, { "id": "", "name": "112.121.165.77" }, { "id": "", "name": "112.121.165.74" }, { "id": "", "name": "103.117.147.66" }, { "id": "", "name": "103.84.84.250" }, { "id": "", "name": "103.244.2.218" }, { "id": "", "name": "36.75.75.75" }, { "id": "", "name": "138.112.25.25" }, { "id": "", "name": "123.181.24.36" }, { "id": "", "name": "1.13.16.45" }, { "id": "", "name": "71.162.181.51" }, { "id": "", "name": "http://104.233.210.119:51248/get_scrpc" }, { "id": "", "name": "http://104.233.210.119:51248/get_fwuueicj." }, { "id": "", "name": "www.v5002.cn" }, { "id": "", "name": "https://www.v5002.cn" }, { "id": "", "name": "https://mh.55dmh.com" }, { "id": "", "name": "https://m.isanyin.com" }, { "id": "", "name": "https://m.aiguoba.com" }, { "id": "", "name": "https://dh.id3cqcmgjcb.top" }, { "id": "", "name": "https://cu6s.com" }, { "id": "", "name": "http://xmsecu100.net/23652xxxxx000008skcai/res.dat" }, { "id": "", "name": "http://xmsecu.net/00030695mcksiqq/res.dat\\t" }, { "id": "", "name": "http://xmsecu.net/00030695mcksiqq/res.dat" }, { "id": "", "name": "http://xmsecu.io/c638020vkklkjjiu/res.dat" }, { "id": "", "name": "http://xmsecu.io/00030678bbgstrjs/res.dat" }, { "id": "", "name": "http://xmsecu.io/00030674uucyttsikk/res.dat" }, { "id": "", "name": "http://secu100.com/23652xxxxx000008skcai/res.dat" }, { "id": "", "name": "http://sainnguatc.com:8080/ASUHALUMNABTC/res.dat" }, { "id": "", "name": "http://sainnguatc.com:8080/ASUHALUMNABTC" }, { "id": "", "name": "http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8/mips" }, { "id": "", "name": "http://nihiosuxnmo.com:8080/SASBCKXOWYALLCZXF" }, { "id": "", "name": "http://coreconf.net:8080/E2XRIEGSOAPU3Z5Q8" }, { "id": "", "name": "http://ammhdfgygb.com/dldsc522dsdasd/res.dat" }, { "id": "", "name": "http://91.211.88.6:8080/ASUHALUMNABTC" }, { "id": "", "name": "http://91.211.88.225:8080/SASBCKXOWYALLCZXF" }, { "id": "", "name": "http://2.59.222.97/dldsc522dsdasd/res.dat" }, { "id": "", "name": "http://194.36.190.99:38291/as/crtarm3" }, { "id": "", "name": "http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8/res.dat" }, { "id": "", "name": "http://185.189.240.13:8080/E2XRIEGSOAPU3Z5Q8" }, { "id": "", "name": "mh.55dmh.com" }, { "id": "", "name": "m.isanyin.com" }, { "id": "", "name": "m.aiguoba.com" }, { "id": "", "name": "lighten.medyamol.com" }, { "id": "", "name": "dh.id3cqcmgjcb.top" }, { "id": "", "name": "axon-stall.riddlecamera.net" }, { "id": "", "name": "xmsecu100.net" }, { "id": "", "name": "xmsecu.net" }, { "id": "", "name": "xmsecu.io" }, { "id": "", "name": "secu100.com" }, { "id": "", "name": "sainnguatc.com" }, { "id": "", "name": "nihiosuxnmo.com" }, { "id": "", "name": "cu6s.com" }, { "id": "", "name": "coreconf.net" }, { "id": "", "name": "ammhdfgygb.com" }, { "id": "", "name": "2fgithub.com" }, { "id": "", "name": "f9db9632ffd7e3bd5b700025fa9278420de0778029fe2eedb6ea7b3d7b999ef6" }, { "id": "", "name": "f5894f0cc7d9da2f188b740bb0596206038d9dba430c7d2a145d7454d9f1b4db" }, { "id": "", "name": "f37eaf27fe12b105c6661d303537787959eeb4bf52c6937d9165fd6b569faf30" }, { "id": "", "name": "ed9511c16229f4bb41f461e90fff7964e79f2c2d27e7de2b107e4d003e9e0def" }, { "id": "", "name": "e5030083c101058f52394820420a372bf93bcac2d802902d4d4c91470c96b608" }, { "id": "", "name": "d9322af52b941e76bec3d2596a1c1be47dffc4fb161656da2c7c45b3d492cfd8" }, { "id": "", "name": "d68f2ed30f344122db9f9e2729787450e1e8653e98bd61026fb4d75bf89de664" }, { "id": "", "name": "d6778d5ad096516b881bbf2aca2d790b5217dfb83bb256e3f9d710056c9b512a" }, { "id": "", "name": "c5317722effa07b56f9e81ef096b1711048eac6629c0ec72d8e8c72c6aae8f41" }, { "id": "", "name": "d0643c777b0b24ca747f7dc79d3bdfbc04d3095ded760e6a54fa62bfa6945df3" }, { "id": "", "name": "bdef8e089ffa00794f40f14ad3cdb8f1629241a4ac313bef8fe3d38e08207e4c" }, { "id": "", "name": "b5fc0c265eb192b2a2d778e66d6f076e876eeacf57c3927e406b4e1b72152038" }, { "id": "", "name": "b2e2193e49ee1240be30f5040dbb5e2c973cdfb02c3ea88ef4ffeda884de28c2" }, { "id": "", "name": "a9cea205140babed24faea1b27f62b2f36464b8562223d96ecb617258a2fd284" }, { "id": "", "name": "9b929bcc182c39540767a9b8237a8436c82997c68d4d2ba710241387c39c27f5" }, { "id": "", "name": "967289406b0da030a93cefaa2644b109260565f5f767b95ce2a5d96d49c57bf2" }, { "id": "", "name": "8f4b61975539dbfe903f448636a48168351018801f2581a63d97179c37cad979" }, { "id": "", "name": "8639bbb3ffe5fa51334c6ab4d45ae1647a29a97f061a9456991333ab166b52fd" }, { "id": "", "name": "847e7f8209803d786660c5ba6d19ce59f76fe26e3e33e50cbe6dd663d40ad569" }, { "id": "", "name": "7a81bbb1f7055cd3f30db8bb2a104b969914ccd520cf85c24b25ba5b0c720206" }, { "id": "", "name": "7a6cdae75006d44d9b61093e5e65ae45c0d153bcc87c6a69974cbdfd6fc3b58b" }, { "id": "", "name": "6be5b4bc461f1ba931bfe773df66bf5f8052626adbdf2b1156a06d0da2d8d3d1" }, { "id": "", "name": "619564061e62a6352f0ce1a06d2883d46eb69df16322b30e8a2a9c65e2d32f5f" }, { "id": "", "name": "5fc8534d490312823a49e2a13afc8a7b6b026280c79db704465fddd8a1fdc376" }, { "id": "", "name": "5b9405418b654c9418e514ae3420c72af58d418adefca43644bf2bf14d89cc5a" }, { "id": "", "name": "5b7874b18e8365e07624946a33518988aea4c72478a285a36047b4ba554a7576" }, { "id": "", "name": "59437e986acd685ad3ce48bf010efff22aa866c0fa066b0e64e510ecb026dd1a" }, { "id": "", "name": "5621cdb8d07900a333d022a9696c1a6f7e45d6cfc713558c462a3ace7c4b426f" }, { "id": "", "name": "51c421f69ad5d7a8de69efa798d1784ce7b41886dece435b879a5815a7f7a2c2" }, { "id": "", "name": "49c04e56dfb17ac16acddfcf9eff7ae82d70294a8ec70b6365ab43a07441badd" }, { "id": "", "name": "38c639a245e1dd04786881fae1060fbd72d3ed419b2f0d38d6082dc9d67876c3" }, { "id": "", "name": "2ec65d77b5146dc898acf5b14df33f49306d539f6d84784e135d32d1807b37ce" }, { "id": "", "name": "2a65fdd8c44a6b7191c09702d9f747471564346c465a42b9abbb4dfa1bc5f7fb" }, { "id": "", "name": "2653886ab93ab5d7c779b796f87199e033ce012970d565d91cf9063d6149a1f8" }, { "id": "", "name": "117bd27a209d6350b10f5c8f8cf841755c253276460be8c7681f5357e07d2e0c" }, { "id": "", "name": "0f9cfe8eefbb983daa9c0e4bfb14a29a534b1c6d00fc16fe8a762d109ad0e037" }, { "id": "", "name": "0c7c6926e854aac4dc4821be07f826157b576d0a217d74d5675d7b32eb78b50e" }, { "id": "", "name": "00550d5c2ed14a445ae13cff8eff32ba7a7dd502d145481bcd18161cf1df540d" }, { "id": "", "name": "a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12" }, { "id": "", "name": "82c569b93da5c18ed649ebd4c2c79437db4611a6a1373e805a3cb001c64130b7" } ], "malware": [ { "id": "legacy:malware:96d9a4f0ce37f371", "name": "Chalubo", "slug": "chalubo" } ], "attack_patterns": [ { "id": "4c308832-9a56-4e0a-bf40-f98d3a7fd54f", "name": "T1495" }, { "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7", "name": "T1199" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb", "name": "T1070" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "8ed2b0cb-034c-4425-920d-ee06e5cf98ed", "name": "T1104" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a", "name": "T1195" } ] }, "external_refs": [ "https://blog.lumen.com/the-pumpkin-eclipse/", "https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt", "https://otx.alienvault.com/pulse/665f39b83296d4300d2fbc27" ] }