Godlua Malware- First Malware That Leverages DNS Over HTTPS

DNS Over HTTPS Malware
DNS Over HTTPS Malware

Godlua Malware- Targets Linux Server Systems too

The cyber security researchers from Netlab found a new LUA based backdoor malware known as GODLUA. It is targeting both Windows and Linux users.

According to Netlab, the file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.

Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often.

At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.

Researchers noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.

Also Read – HiddenWasp A Undetectable Malware Targets Linux System

The Netlab researchers found two versions of Godlua malware.

  • The first version (201811051556) is obtained by traversing Godlua download servers and targets the Linux systems and supports two kinds of C2 instructions, to execute Linux system commands and to run custom files.
  • The second version (20190415103713 ~ 20190621174731) This active version runs on both Windows and Linux. The control module is implemented in Lua and five C2 commands are supported

They are all written in C programming language, but the active one supports more computer platforms and more features

How Godlua Works?

It’s work in three stages

Stage 1

  • The backdoor uses 3 different ways to store the Stage-1 URL. hardcoded ciphertext, Github project description, and Pastebin text.
  • After the Stage-1 URL is retrieved and decrypted, a start.png file will be downloaded, which is actually a Lua bytecode.
  • The Bot then loads it into memory and executes it to get the Stage-2 URL

Stage 2
Two mechanisms are being used for storing the Stage-2 URL, Github project file and DNS over HTTPS.
After the Stage-2 URL is retrieved and decrypted, a run.png file, also a Lua bytecode, will be downloaded.

Stage 3
Stage-3 C2 is hardcoded in the Lua byte-code file (run.png).

DNS Over HTTPS Request
DNS Over HTTPS Request- Image by Netlab

Lua script analysis

The Bot sample downloads many Lua scripts when executing, and the scripts can be broken down to three categories: execute, auxiliary, and attack.

  • execute: start.png,run.png,quit.png,watch.png,upgrade.png,proxy.png
  • auxiliary: packet.png,curl.png,util.png,utils.png
  • attack: VM.png,CC.png

Bot will load this file into memory and run it to get Stage-3 C2.

LUA Payload
Lua Payload – Image by Netlab

 

Both Google and Mozilla is testing support on DNS-over-HTTPS (DoH) protocols.

During last test, we aren’t passing any cookies, these domains aren’t ones that the user would automatically retrieve and just contain dummy content, so we aren’t disclosing anything to the resolver or Facebook about users’ browsing behavior, said Mozilla.

Users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 8.8.8.8) as regular DNS service, with lower latency from our edge PoPs throughout the world. Google said in blog.

Applications should use dns.google instead of dns.google.com. Applications can query dns.google at well-known Google Public DNS addresses, without needing an extra DNS lookup.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Binance Hacked- Hackers Stole $40 Million in Bitcoin

Hackers stole 7000 Bitcoin, worth nearly $41 million USD at current price....
Read More

Leave a Reply