Godlua became the first threat in history of information security that abuses the DoH protocol

Analysts from the Chinese company Qihoo 360 have discovered the Godlua malware written in Lua.

This is the first known to specialists threat that abuses functionality of the DNS over HTTPS protocol (DoH).

Experts say that Godlua behaves as a backdoor in infected systems.

“Оur Unknown Threat Detection System highlighted a suspicious ELF file which was marked by a few vendors as mining related trojan on VT. We cannot confirm it has mining related module, but we do see it starts to perform DDoS function recently”, — reported Qihoo 360 specialists.

For example, experts recorded a DDOS attack on the resource liuxiaobei [.] Com.

So far, researchers have found two versions of Godlua, the infrastructure of which turned out to be very similar. Both variations use DNS over HTTPS queries to disguise communication between management servers, infected machines, and attackers controlled by hacker.

All this makes it difficult to analyze traffic of malware. The first variation is designed for Linux (version 201811051556), while the second version is also capable of attacking Windows machines, has more built-in commands and supports more architectures (version 20190415103713 ~ 2019062117473).

Read also: Sodin cryptographer exploits dangerous vulnerability in Windows

According to the researchers, version 201811051556 is no longer being updated, while hackers are actively developing second version of the malware, and this is due to the appearance of additional functions and cross-platform functionality.

It is reported that cybercriminals compromise Linux servers by using the Atlassian Confluence Server exploit for a bug (CVE-2019-3396), but researchers are sure that there are other infection vectors.

Both known to specialists Godlua versions use DoH to get DNS text records where the C & C URLs of the attackers’ servers are stored. In general, extracting URLs of the management servers from the DNS is not new. The innovation in this case is exactly the use of the DoH-request instead of the classic DNS-request.

As it is easy to understand from the name, DNS over HTTPS works by sending DNS requests via a secure HTTPS connection, instead of the classic UDP request. Considering it, the DoH request is encrypted and invisible to third-party observers, including the protection software, using passive DNS monitoring to block requests to known malicious domains.

Now, security experts are seriously worried that Godlua can only become the “first swallow”, and soon advantages of DoHV will be appreciated by other malware developers, making passive DNS monitoring almost useless.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button