"Mysterious Threat Actor Used Chalubo Malware to Brick 600,000 Routers"

According to security researchers at Lumen Technologies, more than 600,000 small office/home office (SOHO) routers belonging to the same ISP were rendered inoperable in a single destructive event.  The researchers noted that the impacted router models, from ActionTec and Sagemcom, were confined to the ISP’s autonomous system number (ASN), and were likely infected with Chalubo, a remote access trojan (RAT) that ensnares devices into a botnet.  The researchers said the destructive incident occurred over 72 hours between October 25 and October 27, 2023, and impacted ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380 router models.  The unique event, resulted in roughly 49% of the impacted ASNs modems being taken offline, with the affected devices having to be physically replaced.  The researchers noted that roughly 179,000 ActionTec and 480,000 Sagemcom routers might have been bricked overall.  The threat actor responsible for the attack likely chose Chalubo to deploy malicious firmware on the impacted routers to obfuscate attribution, but no evidence of overlaps between this incident and known nation-state actors, such as the Volt Typhoon, has been found.  Initially discovered in 2018, the Chalubo malware ensnares devices in a botnet capable of launching distributed denial-of-service (DDoS) attacks but also supports the execution of Lua scripts on the infected devices.  After infection, the trojan resides in memory, making it difficult to detect.

SecurityWeek reports: "Mysterious Threat Actor Used Chalubo Malware to Brick 600,000 Routers"