First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol

Godlua, a Linux DDoS bot, is the first-ever malware strain seen using DoH to hide its DNS traffic.

First of its kind: Malware Godlua abuses new DoH protocol to hide its trace Godlua, a Linux DDoS bot, is the first-ever malware strain seen abusing new DoH (DNS over HTTPS) protocol.

Security researchers from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360, have discovered the first ever malware strain seen abusing the DNS over HTTPS (DoH) protocol.

The malware, named Godlua, was detailed in a report published on Monday by the company's researchers.

According to the Netlab team, Godlua is a malware strain written in Lua, which acts like a backdoor on infected systems. It's written to work on Linux servers, attackers are using a Confluence exploit (CVE-2019-3396) to infect outdated systems, and early samples uploaded on VirusTotal have mislabeled it as a cryptocurrency miner.

But Netlab researchers say the malware actually works as a DDoS bot and they've already seen it being used in attacks, with one aimed against liuxiaobei.com, the homepage of a Liu Xiaobei fan site.

DoH helps malware avoid passive DNS monitoring

Researchers say they've spotted two Godlua versions so far, with a somewhat similar architecture. Both versions used DNS over HTTPS requests to retrieve the TXT (text record) of a domain name, where the URL of a subsequent command and control (C&C) server was being stored, and to which the Godlua malware was supposed to connect for further instructions.

This technique of retrieving the URL addresses of second/third stage C&C server from DNS text records isn't new. The newness here is the usage of a DoH request instead of a classical DNS request.

As the protocol's name clearly states, DNS over HTTPS works by sending DNS requests via an encrypted HTTPS connection, rather than using a classic plaintext UDP request.

The DoH (DNS) request is encrypted and invisible to third-party observers, including cyber-security software that relies on passive DNS monitoring to block requests to known malicious domains.

Looming problem for cyber-security community

The discovery that Godlua uses DoH to hide DNS traffic sent shockwaves through the cyber-security community this week, with many reacting on both Twitter [1, 2] and Reddit.

Many have expressed fears that other malware strains will now also adopt this feature, rendering a large chunk of cyber-security products that rely on passive DNS monitoring useless.

Their fear is justified; however, the cyber-security community has always found workarounds to any tricks malware employs, and it's expected they'll find one to deal with any strains that use DoH, as well.

More info on the DoH protocol can be found in the Internet Engineering Task Force's (IETF) document RFC 8484.

Major browsers like Firefox and Chrome already support DoH. Last month, Google announced DoH support for its public DNS service, which the company provides for free to users in countries where governments are filtering and blocking internet traffic based on passive DNS monitoring.

Related malware and cybercrime coverage: