Analysts from the Chinese company Qihoo 360 have discovered the Godlua malware written in Lua.This is the first known to specialists threat that abuses functionality of the DNS over HTTPS protocol (DoH).
Experts say that Godlua behaves as a backdoor in infected systems.
“Оur Unknown Threat Detection System highlighted a suspicious ELF file which was marked by a few vendors as mining related trojan on VT. We cannot confirm it has mining related module, but we do see it starts to perform DDoS function recently”, — reported Qihoo 360 specialists.
For example, experts recorded a DDOS attack on the resource liuxiaobei [.] Com.
So far, researchers have found two versions of Godlua, the infrastructure of which turned out to be very similar. Both variations use DNS over HTTPS queries to disguise communication between management servers, infected machines, and attackers controlled by hacker.
All this makes it difficult to analyze traffic of malware. The first variation is designed for Linux (version 201811051556), while the second version is also capable of attacking Windows machines, has more built-in commands and supports more architectures (version 20190415103713 ~ 2019062117473).
According to the researchers, version 201811051556 is no longer being updated, while hackers are actively developing second version of the malware, and this is due to the appearance of additional functions and cross-platform functionality.
It is reported that cybercriminals compromise Linux servers by using the Atlassian Confluence Server exploit for a bug (CVE-2019-3396), but researchers are sure that there are other infection vectors.
Both known to specialists Godlua versions use DoH to get DNS text records where the C & C URLs of the attackers’ servers are stored. In general, extracting URLs of the management servers from the DNS is not new. The innovation in this case is exactly the use of the DoH-request instead of the classic DNS-request.
As it is easy to understand from the name, DNS over HTTPS works by sending DNS requests via a secure HTTPS connection, instead of the classic UDP request. Considering it, the DoH request is encrypted and invisible to third-party observers, including the protection software, using passive DNS monitoring to block requests to known malicious domains.