Godlua Backdoor Verwendet CVE-2019-3396 Linux-Benutzer auf Ziel

Godlua Backdoor Verwendet CVE-2019-3396 Linux-Benutzer auf Ziel

1 Star2 Stars3 Stars4 Stars5 Stars (2 Stimmen, durchschnittlich: 3.00 von 5)
Loading ...

There’s a new piece of advanced backdoor malware that can target both Linux and Windows systems in a secure, previously unseen communication. The backdoor has been dubbed Godlua, as it is Lua-based and “the Lua byte-code file loaded by this sample has a magic number of “God”. The primary purpose of the backdoor appears to be DDoS.

Godlua Backdoor: Einzelheiten

According to Qihoo 360 Forscher, there are two versions of Godlua:

Version 201811051556 is obtained by traversing Godlua download servers and there has been no update on it. Version 20190415103713 ~ 2019062117473 is active and is actively being updated. They are all written in C, but the active one supports more computer platforms and more features.

The malware was discovered on April 24 dieses Jahr, when the researchers’ threat detection system detected a suspicious ELF file, which was marked by other security vendors as a mining Trojan. The mining functionality currently can’t be confirmed unlike the DDoS which is already in use.

The most interesting fact about the Godlua backdoor is that it has a redundant communication mechanism used for the command and control (c2) Verbindung. It is a combination of hardcoded DNS name, Pastebin.com, GitHub.com and a DNS TXT which are used to store the c2 address. This behavior is rarely seen in any malware. Weiter, the backdoor utilizes HTTPS download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2, berichteten die Forscher.

Wie bereits erwähnt, the primary purpose of Godlua appears to be related to DDoS attacks. It has already been detected in active campaigns in an HTTP flood attack against the liuxiaobei[.]com domain.

verbunden: Yowai Botnet, Variante Mirai, Exploits bekannt ThinkPHP Vulnerability

The researchers need to see more of Godlua to be able to determine the way the backdoor infects its targets. So far the only thing that is known is that the malware uses the so-called Confluence exploit (CVE-2019-3396) to target Linux users.

CVE-2019-3396 is a vulnerability that resides in the Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 Vor 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 Vor 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 Vor 6.14.2 (the fixed version for 6.14.x).

The vulnerability allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection, als explained in the official advisory.

The researchers’ suggestion is to at least “monitor and block the relevant IP, URL and domain name of Godlua Backdoor on your network". Vollständige technische Offenbarung of Godlua backdoor is available.


Milena Dimitrova

Ein inspirierter Schriftsteller und Content-Manager, der mit SensorsTechForum ist seit 4 Jahre. Genießt ‚Mr. Robot‘und Ängste‚1984‘. Konzentriert sich auf die Privatsphäre der Nutzer und Malware-Entwicklung, sie die feste Überzeugung, in einer Welt, in der Cybersicherheit eine zentrale Rolle spielt. Wenn der gesunde Menschenverstand macht keinen Sinn, sie wird es sich Notizen zu machen. Diese Noten drehen können später in Artikel!

Mehr Beiträge

Schreibe einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

Frist ist erschöpft. Bitte laden CAPTCHA.

Auf Facebook teilen Teilen
Loading ...
Empfehlen über Twitter Tweet
Loading ...
Share on Google Plus Teilen
Loading ...
Share on Linkedin Teilen
Loading ...
Empfehlen über Digg Teilen
Teilen auf Reddit Teilen
Loading ...
Empfehlen über Stumbleupon Teilen
Loading ...