Godlua Malware- Targets Linux Server Systems too
The cyber security researchers from Netlab found a new LUA based backdoor malware known as GODLUA. It is targeting both Windows and Linux users.
According to Netlab, the file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.
Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often.
At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.
Researchers noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.
The Netlab researchers found two versions of Godlua malware.
- The first version (201811051556) is obtained by traversing Godlua download servers and targets the Linux systems and supports two kinds of C2 instructions, to execute Linux system commands and to run custom files.
- The second version (20190415103713 ~ 20190621174731) This active version runs on both Windows and Linux. The control module is implemented in Lua and five C2 commands are supported
They are all written in C programming language, but the active one supports more computer platforms and more features
How Godlua Works?
It’s work in three stages
- The backdoor uses 3 different ways to store the Stage-1 URL. hardcoded ciphertext, Github project description, and Pastebin text.
- After the Stage-1 URL is retrieved and decrypted, a start.png file will be downloaded, which is actually a Lua bytecode.
- The Bot then loads it into memory and executes it to get the Stage-2 URL
Two mechanisms are being used for storing the Stage-2 URL, Github project file and DNS over HTTPS.
After the Stage-2 URL is retrieved and decrypted, a run.png file, also a Lua bytecode, will be downloaded.
Stage-3 C2 is hardcoded in the Lua byte-code file (run.png).
Lua script analysis
The Bot sample downloads many Lua scripts when executing, and the scripts can be broken down to three categories: execute, auxiliary, and attack.
- execute: start.png,run.png,quit.png,watch.png,upgrade.png,proxy.png
- auxiliary: packet.png,curl.png,util.png,utils.png
- attack: VM.png,CC.png
Bot will load this file into memory and run it to get Stage-3 C2.
During last test, we aren’t passing any cookies, these domains aren’t ones that the user would automatically retrieve and just contain dummy content, so we aren’t disclosing anything to the resolver or Facebook about users’ browsing behavior, said Mozilla.
Users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 220.127.116.11) as regular DNS service, with lower latency from our edge PoPs throughout the world. Google said in blog.
Applications should use dns.google instead of dns.google.com. Applications can query dns.google at well-known Google Public DNS addresses, without needing an extra DNS lookup.