Pulse Detail — Threat Intelligence

PULSE NAME

The Pumpkin Eclipse - Chalubo Malware

WHITE AlienVault 2024-06-04 Modified: 2024-07-02

IOCs

HIGH VOLUME

Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.

lua script soho

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1195 T1199 T1140 T1055 T1102 T1104 T1016 T1070 T1218 T1495

MALWARE FAMILIES

Chalubo

Indicators of Compromise (7 / 93 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA1	59d70e5a2b470827a750bf2ef36020aec61ae386	SHA1 of a8a2c2f82d542b0e05848d102e2f04239982b48ba7522a83dfc8b1308d7a8c12	2024-06-04
FileHash-SHA1	183fa84e35bb498efb4dfb05d2a4997cd66e2f0f	—	2024-06-04
FileHash-SHA1	21d9ae29551dcbe39de375bdf8ada5a47b0e2372	—	2024-06-04
FileHash-SHA1	27dc61dd0bb9a53799ae29c6927f38d98ccdb27b	—	2024-06-04
FileHash-SHA1	6c6609264e9e4b365e1bd7df187f4405a1df3f02	—	2024-06-04
FileHash-SHA1	851da211a48eda4fb1bb9914bc6afe2adae82da0	SHA1 of f9db9632ffd7e3bd5b700025fa9278420de0778029fe2eedb6ea7b3d7b999ef6	2024-06-04
FileHash-SHA1	adc617d5bc875d26fef3ef469e88a16079c50274	—	2024-06-04

References (2)

↗ https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt ↗ https://blog.lumen.com/the-pumpkin-eclipse/