Godlua Backdoor Bruger CVE-2019-3396 Target Linux-brugere
CYBER NEWS

Godlua Backdoor Bruger CVE-2019-3396 Target Linux-brugere

1 Star2 Stars3 Stars4 Stars5 Stars (2 stemmer, gennemsnit: 3.00 ud af 5)
Loading ...

Der er et nyt stykke avanceret bagdør malware, der kan målrette både Linux og Windows-systemer i et sikkert, tidligere uset kommunikation. Den bagdør er blevet døbt Godlua, as it is Lua-based and “the Lua byte-code file loaded by this sample has a magic number of “God”. The primary purpose of the backdoor appears to be DDoS.




Godlua Backdoor: Detaljer

According to Qihoo 360 forskere, there are two versions of Godlua:

Version 201811051556 is obtained by traversing Godlua download servers and there has been no update on it. Version 20190415103713 ~ 2019062117473 is active and is actively being updated. They are all written in C, but the active one supports more computer platforms and more features.

The malware was discovered on April 24 år, when the researchers’ threat detection system detected a suspicious ELF file, which was marked by other security vendors as a mining Trojan. The mining functionality currently can’t be confirmed unlike the DDoS which is already in use.

The most interesting fact about the Godlua backdoor is that it has a redundant communication mechanism used for the command and control (c2) forbindelse. It is a combination of hardcoded DNS name, Pastebin.com, GitHub.com and a DNS TXT which are used to store the c2 address. This behavior is rarely seen in any malware. Endvidere, the backdoor utilizes HTTPS download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2, forskerne rapporteret.

Som allerede nævnt, the primary purpose of Godlua appears to be related to DDoS attacks. It has already been detected in active campaigns in an HTTP flood attack against the liuxiaobei[.]com domain.

Relaterede: Yowai botnet, Variant af Mirai, Udnytter Kendt ThinkPHP Vulnerability

The researchers need to see more of Godlua to be able to determine the way the backdoor infects its targets. So far the only thing that is known is that the malware uses the so-called Confluence exploit (CVE-2019-3396) to target Linux users.

CVE-2019-3396 is a vulnerability that resides in the Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 Før 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 Før 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 Før 6.14.2 (the fixed version for 6.14.x).

The vulnerability allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection, som explained in the official advisory.

The researchers’ suggestion is to at least “monitor and block the relevant IP, URL and domain name of Godlua Backdoor on your network". Full technical disclosure of Godlua backdoor is available.

Avatar

Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...