Godlua Malware- First Malware That Leverages DNS Over HTTPS

DNS Over HTTPS Malware
DNS Over HTTPS Malware

Godlua Malware- Targets Linux Server Systems too

The cyber security researchers from Netlab found a new LUA based backdoor malware known as GODLUA. It is targeting both Windows and Linux users.

According to Netlab, the file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.

Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often.

At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.

Researchers noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.

Also Read – HiddenWasp A Undetectable Malware Targets Linux System

The Netlab researchers found two versions of Godlua malware.

  • The first version (201811051556) is obtained by traversing Godlua download servers and targets the Linux systems and supports two kinds of C2 instructions, to execute Linux system commands and to run custom files.
  • The second version (20190415103713 ~ 20190621174731) This active version runs on both Windows and Linux. The control module is implemented in Lua and five C2 commands are supported

They are all written in C programming language, but the active one supports more computer platforms and more features

How Godlua Works?

It’s work in three stages

Stage 1

  • The backdoor uses 3 different ways to store the Stage-1 URL. hardcoded ciphertext, Github project description, and Pastebin text.
  • After the Stage-1 URL is retrieved and decrypted, a start.png file will be downloaded, which is actually a Lua bytecode.
  • The Bot then loads it into memory and executes it to get the Stage-2 URL

Stage 2
Two mechanisms are being used for storing the Stage-2 URL, Github project file and DNS over HTTPS.
After the Stage-2 URL is retrieved and decrypted, a run.png file, also a Lua bytecode, will be downloaded.

Stage 3
Stage-3 C2 is hardcoded in the Lua byte-code file (run.png).

DNS Over HTTPS Request
DNS Over HTTPS Request- Image by Netlab

Lua script analysis

The Bot sample downloads many Lua scripts when executing, and the scripts can be broken down to three categories: execute, auxiliary, and attack.

  • execute: start.png,run.png,quit.png,watch.png,upgrade.png,proxy.png
  • auxiliary: packet.png,curl.png,util.png,utils.png
  • attack: VM.png,CC.png

Bot will load this file into memory and run it to get Stage-3 C2.

LUA Payload
Lua Payload – Image by Netlab


Both Google and Mozilla is testing support on DNS-over-HTTPS (DoH) protocols.

During last test, we aren’t passing any cookies, these domains aren’t ones that the user would automatically retrieve and just contain dummy content, so we aren’t disclosing anything to the resolver or Facebook about users’ browsing behavior, said Mozilla.

Users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like as regular DNS service, with lower latency from our edge PoPs throughout the world. Google said in blog.

Applications should use dns.google instead of dns.google.com. Applications can query dns.google at well-known Google Public DNS addresses, without needing an extra DNS lookup.

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Leave a Reply
Previous Article

PivotSuite- Hack The Hidden Network

Next Article
Linux Based OS Debian Buster

Debian 10 BUSTER Linux Based Operating System Released

Related Posts