Godlua: A History
On April 24, 2019, Netlab’s Unknown Threat Detection System discovered a suspicious ELF file marked by several vendors as a mining-related Trojan. The file itself is a Lua-based Backdoor, which they named “Godlua.” It is the first-ever known malware to exploit the DNS over HTTPS (DoH) protocol. <link to https://blog.netlab.360.com/>
Researchers named it Godlua as the Lua-byte code file loaded by this sample contains a magic number of “God.”
What Does It Do?
This newly discovered Godlua backdoor is aiming at Windows and Linux servers. It is the first malware capable of abusing the new DoH protocol.
This malware uses DoH requests to obtain a domain name text record (TXT). Then, it determines where the URL of the subsequent command and control server (C2) is stored. Finally, it determines where the malware is supposed to connect for additional instructions.
It is written to work on both Linux and Windows services. To infect old systems, attackers are using a Confluence exploit, CVE-2019-3396.
It has a redundant communication mechanism for C2 connection. Furthermore, it has a combination of hardcoded DNS name, GitHub.com, and Pastebin.com. It also uses DNS TXT to store the C2 address, something that is not seen often.
At the same time, it uses HTTPS to download Lua-byte code files and it uses DNS over HTTPS (DoH) to retrieve to C2 name, which ensures secure communication between the bots, the C2, and the webserver.
Researchers believe that its main function is to cause DDoS (distributed denial-of-service) attacks.
Godlua: An Overview
Presently, there are two known versions of Godlua.
Version 201811051556. This version is obtained by navigating Godlua download servers, and there has been no update on it. It focuses on the Linux platforms. Furthermore, it supports two kinds of C2 instructions to perform Linux system commands and to run custom files.
Version 20190415103713 – 2019062117473. It is active and is constantly being updated. This active version runs on both Linux and Windows. Moreover, this control module is implemented in Lua, and it supports five C2 commands.
Both versions are written in C. However, Version 20190415103713 – 2019062117473 has more features and supports more computer platforms.
How Does It Work?
Godlua works in three stages:
Stage 1. The Godlua backdoor utilizes three different ways to store the Stage 1 URL: Github project description, Pastebin text, and hardcoded ciphertext. After retrieval and decryption of the Stage 1 URL, a start.png file is downloaded. This is actually a Lua bytecode. Then, the Bot loads the file into memory and executes it to get the Stage 2 URL.
Stage 2. It uses two mechanisms to store the Stage 2 URL: DNS over HTTPS (DoH) and Github project file. After the retrieval and decryption of the Stage 2 URL, a run.png file will be downloaded. This is another Lua bytecode. Then, the Bot loads the file into memory and executes it to get the Stage 3 URL.
Stage 3. Stage 3 C2 is hardcoded in the run.png file (a Lua byte-code file). Upon disassembling the file, the researchers discovered the file header’s magic number has changed from “Lua” to “God.”
We have noticed that attackers are using Lua commands to run the Lua code dynamically. Attackers are using this to initiate HTTP flood attacks, targeting specific websites.
Lua: A Script Analysis
The Bot sample downloads numerous Lua scripts when executing. These scripts can further be broken down into three categories: execute, auxiliary, and attack.
Execute. start.png, run.png, upgrade.png, watch.png, quit.png
Auxiliary. util.png, utils.png, curl.png, packet.png
Attack. CC.png, VM.png
Godlua: A Threat to the Cybersecurity Community
The discovery that Godlua utilizes DoH to hide DNS traffic has shaken the cybersecurity community. In fact, many people have expressed their fears that other malware strains may now adopt this feature. If this happens, it can render many DNS-reliant cybersecurity products useless.
However, the cybersecurity community has always found solutions to the various tricks that malware employs. It is expected that they will find one to deal with any malware strains that use DoH as well.
For instance, Google supports DoH for its public DNS service. They provide this for free to users in countries where governments are blocking and filtering internet traffic based on passive DNS monitoring. <link to https://security.googleblog.com/2019/06/google-public-dns-over-https-doh.html>
Godlua: Possible Effects, Applications, and Damages
Through the Command and Control server, Godlua can be used to control operating systems remotely by sending commands to them. It allows attackers to open/launch various files and execute different Linux commands.
In simple terms, it can be used to control computers remotely. Moreover, it can be used to infect computers with other malicious software (i.e. ransomware). These types of programs prevent victims from gaining access to their data by encrypting them with strong encryption. Normally, the only way to get a decryption key and/or tool is to pay the cybercriminals a specific amount of money (cryptocurrency). These programs typically cause financial and/or data loss. <link to https://www.pcrisk.com/common-types-of-computer-infections#ransomware>
Moreover, computers can be infected with keystroke loggers that record each and every pressed key. With this method, these programs can be used to steal sensitive information, such as logins and passwords of various accounts, banking credentials, and more.
Furthermore, cybercriminals might use Godlua to spread cryptocurrency miners that use computer hardware to mine cryptocurrency by solving mathematical problems. These programs cause high CPU and/or GPU usage and slow down computers. It can even make them unusable.
As mentioned above, one of the damages that can be done using Godlua is DDoS attacks. Essentially, the purpose of DDoS attacks is to close normal traffic of the attacked network, service, or server by flooding it with unwanted traffic. Moreover, since one of Godlua’s versions, Version 20190415103713 – 2019062117473 targets both Linux and Windows systems and is being actively updated; this malware is capable of causing various damages.
How Does It Infiltrate Computers?
Research shows that some people’s computers got the Godlua malware through the Confluence exploit (CVE-2019-3396). However, this only applies to Linux users. Moreover, there is no specific information about other ways used to spread this malware.
Typically, cybercriminals spread malicious software through fake software updaters, Trojans, spam email campaigns, and other untrustworthy sources that people use to download files and software.
How to Avoid Godlua and Other Malware
One of the best ways to avoid Godlua and other malware is by ignoring questionable emails and attached links. Moreover, download software through direct links and official, trustworthy sources only. Update installed programs with functions and/or tools developed by official developers and avoid using “cracking” tools. Finally, make sure to install and enable a credible anti-spyware or anti-virus at all times.
If you believe that your computer is already infected, talk to a tech professional immediately. The removal of Godlua and other malware can be a lengthy, complicated process that requires advanced computer skills.
To Sum It All Up
We have yet to see the whole picture of the Godlua backdoor, how it works, and how it infects its targets. At this point, we know that at least some Linux users were infected through the Confluence exploit.
For now, we suggest that people should monitor and block suspicious URLs, IP addresses, and domain names on the system.
If you have any further information about the threat, we would love to hear your thoughts.