Posted on July 4, 2019 at 11:08 AM
Malware evolution continues, and with it — the endless “game” between security experts and hackers. However, hackers seem to always be at least one step ahead, as confirmed by the recent findings.
The new discovery that has experts around the world concerned and alarmed revolves around the new malware strain, which is capable of using DNS over HTTPS protocol. The discovery was made by the Network Security Research Lab at 360 earlier this year, in April. On the occasion, experts spotted a backdoor after researching a rather suspicious ELF (Executable and Linkable Format) file.
This was not the first time that the file was spotted in the wild, and most other security companies dismissed it as a crypto mining-related Trojan. However. Netlab 360 researchers thought that there might be more to it than that. At any case, they wanted to confirm whether or not it was a threat, and after studying it in-depth, they made quite a discovery.
Two versions of malware spotted in the wild
As mentioned, researchers found that the ELF file in question is actually a malware capable of performing DDoS functionality. Since then, it became known as Godlua. The name comes from the magic number ‘God,’ which was found in its source code, as well as from the Lua codebase, and the fact that it works as a Lua-based backdoor on systems it manages to infect.
Knowing what they should look for, researchers started digging deeper, which eventually led to the discovery of two separate versions of the backdoor that were already in circulation. Traversing Godlua’s download servers allowed them to obtain the first version. However, after further research, experts determined that there is no available update for this particular version.
Meanwhile, the second version was quite active, and it kept receiving regular updates. Further, researchers were also able to determine that the threat is mostly infecting Linux systems. Despite the fact that they were not able to understand the method it uses to infect the system at the time of discovery, they did know that the threat is exploiting CVE-2019-3396.
As mentioned, many believed that the threat is crypto mining bot, and while researchers now know better — there are still no confirmations that the malware is not mining alongside everything else. The only real confirmation at this time is that it mostly behaves as a DDoS bot. Also, both versions of the malware are using DNS over HTTPS, instead of regular DNS requests. This is a major problem, as using DNS over HTTPS allows the malware to hide its DNS traffic by using the encrypted HTTPS connection.
In other words, thanks to this improvement, Godlua can evade passive DNS monitoring. The discovery of this was more than enough to have experts around the world alarmed.
How is the threat being handled?
Of course, Godlua is far from being the first to incorporate the Lua programming language in the last several years. Reports of other threats that did this have been around for a while, such as the one in 2014, when Doctor Web detected Mac.BackDoor.iWorm. Then, in 2016, Symantec used the shared use of Lua modules to link the activities of a cyberespionage group, Strider, with the Flamer group.
Now, many have already recognized the new threat, including Mozilla, and even Google. Both companies came out in support of the DoH protocol, with Mozilla currently still testing it, while Google already offers it as part of the company’s public DNS service. Meanwhile, other popular content delivery networks are also offering DNS resolution over HTTPS, including Cloudflare.
As for ways of defending against the Godlua backdoor, experts suggest investing in vulnerability management solutions that would integrate with SIEM (Security Information and Event Manager), as well as other security tools. The important thing is to add fixes for known vulnerabilities, and especially for CVE-2019-3396. Finally, experts also suggest that companies should start using next-gen firewalls, advanced anomaly detection, and alike.