Godlua Malware Abuses DNS over HTTPS Protocol

Delaware, USA – July 4, 2019 – The DNS over HTTPS protocol designed to protect DNS queries from being intercepted by adversaries, now helps the newly discovered Godlua malware avoid detection by traffic monitoring solutions. The malware was discovered by Network Security Research Lab of Qihoo 360, who published an analysis of the finding earlier this week. Godlua is a Lua-based Backdoor, which is currently used for DDoS attacks. Experts have found two versions of malware: the earlier version is designed exclusively for attacks on Linux platforms and is written in C, while a later version can attack both Linux and Windows, and is written in Lua. The second version is regularly updated, and the attackers add support for additional CPU architectures and commands. At the moment, the number of commands is not so wide, receiving a command from the C&C server malware downloads the Lua scripts under the guise of PNG images and executes them.

The most innovative idea in Godlua that separates it among other backdoors is using DNS over HTTPS requests. Such requests don’t cause suspicion and cannot be analyzed by security solutions. Moreover, Google’s public DNS service supports DNS over HTTPS, which opens up opportunities for other malware authors. Security researchers expect a surge in creating malware like DNSMessenger, which will use this method to communicate with C&C infrastructure and exfiltrate data. The new method will allow avoiding spikes of DNS traffic during tunneling, and it is not yet known how to monitor such communications. You can detect “traditional” attacks abusing DNS protocol with security solutions available in your organization and the DNS Security Check rule pack: https://my.socprime.com/en/integrations/dns-security-check-kibana

Godlua Malware Detector (Sysmon Behavior) by Lee Archinal: https://tdm.socprime.com/tdm/info/2291/