New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS (Jul 3, 2019)
Qihoo 360 researchers have found a new backdoor, dubbed “Godlua,” backdoor that is capable of targeting Linux and Windows machines as well as securing its communications via DNS over HTTPS (DoH). Two variant of the malware were identified. One that targets Linux that appears not being updated anymore, and the second targeting Windows that has more malicious capabilities than the former. Godlua was discovered while examining a malicious ELF file, which may indicates an infection vector, and was found to be able to infect by exploiting the Atlassian Confluence vulnerability, registered as “CVE-2019-3396.”
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.