Pulse Detail — Threat Intelligence

PULSE NAME

The Pumpkin Eclipse - Chalubo Malware

WHITE AlienVault 2024-06-04 Modified: 2024-07-02

IOCs

HIGH VOLUME

Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.

lua script soho

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1195 T1199 T1140 T1055 T1102 T1104 T1016 T1070 T1218 T1495

MALWARE FAMILIES

Chalubo

Indicators of Compromise (2 / 93 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	d23dab9c57284b5457c991abe63b7cd4	MD5 of a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12	2024-06-04
FileHash-MD5	28827aba3675e1a802bb7d8113701615	MD5 of f9db9632ffd7e3bd5b700025fa9278420de0778029fe2eedb6ea7b3d7b999ef6	2024-06-04

References (2)

↗ https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt ↗ https://blog.lumen.com/the-pumpkin-eclipse/