The Godlua backdoor: first malware using DNS over HTTPS protocol

Security researchers discover new malware strain that abuses the DNS over HTTPS protocol to secure its communication channels

Godlua manages to block researchers from analyzing its traffic by using DNS protocol instead of HTTPS.

It seems that a newly discovered GodLua backdoor, that is aiming at Linux and Windows servers, is the first threat capable of abusing new DoH protocol. While using a Confluence exploit to infect outdated systems, it is posing a serious risk,^[1] the recent analysis by Qihoo 360's Network Security Research Lab claims. The attack was revealed against liuxiaobei.com website, which is the homepage of Liu Xiaobei fan site.^[2]

Experts have already found a few versions of the malware already and informed people on the Internet that backdoor gets updates and can be set to mine cryptocurrency or perform more actions than DDoS functions.^[3] The Lua-based malware got its specific name from Network Security Research Lab at 360, as the report states:

The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.

Malware developers avoid traffic monitoring by using DoH to encapsulate the communication channels

Although the Godlua malware is relatively new, the DoH protocol is supported by many publicly available DNS servers and even web browser like Google Chrome or Mozilla Firefox. Google announced its DoH support for its public DNS server recently.^[4] The traffic between C&C servers and infected machines, hacker servers get secured, and his way malware can block researchers from accessing and analyzing the activity.

The technique of retrieving the URL addresses of second or third stage C&C server from DNS text records is not new or uncommon. However, Godlua is the first malware that uses DNS over HTTPS protocol to conceal part of its C2 infrastructure from third-parties and especially cyber security analysis tools, as Nick Biasini from Cisco Talos states he has never seen anything like this.^[5]

DoH is going to break security controls as malware creators start taking advantage of it

Many cybersecurity experts and web developers reacted to this new strain of malware and its activities on social media and online forums this week after all the reports.^[6] The whole community starts talking about possible problems that may occur due to this DoH usage to hide DNS traffic. There are many fears that other malware may also adopt the function and use in further attacks. This way a large number of security products will become useless for DNS traffic monitoring.

However, there are many workarounds that cybersecurity experts tend to find. Especially when dealing with new strains of malware or even attackers that use DoH. Users and other community members expect that researchers will find how to deal with these new malware strains and their features.

Experts still need to see the whole picture of Godlua backdoor and how it works and infects its targets. The Netlab team suggest people to at least monitor and block suspicious IP, URL and domain names on the system. Also, researchers claim that readers are welcome to provide any additional details about the threat.