DDoS bots’ tactics could break existing controls

The first-ever malware strain which abuses the new DoH (DNS over HTTPS) protocol has surfaced online.

Godlua is a backdoor with two variants: one that target Linux exclusively and a second that targets both Windows and Linux-based systems.

At least some impacted Linux users were infected through an exploit in team collaboration software package Confluence (CVE-2019-3396).

The malware is able to abuse compromised systems to run distributed denial-of-service (DDoS) attacks. It might also bundle crypto-mining functionality, though this remains only suspected and not confirmed.

The malware sticks out from the crowd because of its use of DoH for command and control communications, as explained in a blog post by Chinese security firm Qihoo 360.

“Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often,” according to 360 Netlab, the security lab of Qihoo 360.

“At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.”

“We noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.”

UK security practitioner Kevin Beaumont warned more malware along the same lines is likely, adding that the use of DoH in the malware is problematic for defenders because it might break existing security controls.

“When you start to get malware using DoH for all DNS traffic, it will be more difficult to defend as you lose DNS log visibility and blocking,” Beaumont said in the course of a discussion on Twitter about the topic.