New Godlua Backdoor Found Abusing DNS Over HTTPS (DoH) Protocol

New Godlua Backdoor Found Abusing DNS Over HTTPS (DoH) ProtocolA newly discovered backdoor malware dubbed Godlua was discovered conducting DDoS attacks on outdated Linux systems through a vulnerability in the Atlassian Confluence Server (CVE-2019-3396). Unique to this Lua-based malware is its abuse of the DNS over HTTPS (DoH) protocol to secure the communication channel between the bot, the Web Server and the command-and-control (C&C) server.

Netlab researchers that discovered the malware also found that the cybercriminals behind it had already launched an HTTP Flood attack on the liuxiaobei[.]com domain.

Two versions

The researchers found two versions of the malware so far. One version (version 201811051556) was designed to target Linux systems, while the other version (version 20190415103713 ~ 2019062117473) was designed to infect Windows computers. They found that the latter was more actively updated, supports more computer platforms, and has more features.

The version for Linux systems receives only two types of commands from the C&C server, for running custom files and executing Linux commands. The Windows version supports five C&C commands and downloads Lua scripts.

The use of the DNS over HTTPS (DoH) protocol

Both versions use the DNS over HTTPS (DoH) protocol to retrieve the DNS text record of a domain name where the C&C server’s URL is stored. The behavior that retrieves the C&C from DNS text records is not unique to this malware. However, its use of the DoH requests instead of the typical DNS requests works as an evasion tactic for the malware. Using the DoH protocol, DNS requests are usually sent through an encrypted HTTPS connection, increasing the privacy of the malware’s communication channels.

The DoH protocol is still relatively new, but is now supported by many DNS servers, including popular web browsers like Google Chrome.

Security recommendations

Researchers believe that the Godlua backdoor is still being developed and other campaigns could also adopt its use of the DoH protocol in the future. However, certain security measures can reduce the effectivity of similar campaigns, such as defending against the exploits that serve as entry points for malware.

In this case, several attacks exploited the Confluence vulnerability (CVE-2019-3396), many of which were cryptocurrency mining campaigns. This shows how attackers use vulnerabilities in multiple ways and in combination with both old and new malware variants.

Trend Micro™ Deep Security™ provides virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications. 

Trend Micro™ Deep Discovery™  provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without engine or pattern updates.

The Trend Micro Deep Security solution protects user systems from threats that may target the following vulnerability rule:

  • 1009705 – Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2019-3396)

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.