loader gif

Godlua abuses DNS over HTTPS to target Linux and Windows users

Godlua abuses DNS over HTTPS to target Linux and Windows users
  • The first version of Godlua malware is obtained by traversing Godlua download servers and targets the Linux systems.
  • The second version targets Windows systems and is actively being updated.

Researchers from Qihoo 360 spotted a new Lua-based backdoor malware dubbed ‘Godlua’ which is capable of targeting both Linux and Windows users while securing its communication channels via DNS over HTTPS (DoH).

The detailed picture

Godlua evades traffic monitoring by using DNS over HTTPS (DoH) to secure its communication channels between C&C servers, the infected machines, and the attacker-controlled servers within HTTPS requests.

By using DoH, Godlua hides the URLs of the C&C servers used during the later stages of the infection process from detection.

Researchers noted that Godlua malware was used in HTTP flood attack against the liuxiaobei[.]com domain.

Godlua versions

Qihoo 360 researchers spotted two versions of Godlua malware.

  • The first version (201811051556) is obtained by traversing Godlua download servers and targets the Linux systems.
  • The second version (20190415103713 ~ 2019062117473) targets Windows systems and is actively being updated.

The first version which targets Linux systems receives only two types of commands from its C&C server, allowing the malware operators to run custom files and to execute Linux commands.

On the other hand, the second variant receives five commands from its C&C server and it downloads many Lua scripts when executing.

“We have yet to see the whole picture of how exactly the Godlua backdoor infects the targets, at this point we know at least some linux users were infected via the Confluence exploit (CVE-2019-3396),” the researchers wrote.

loader gif