There’s a new piece of advanced backdoor malware that can target both Linux and Windows systems in a secure, previously unseen communication. The backdoor has been dubbed Godlua, as it is Lua-based and “the Lua byte-code file loaded by this sample has a magic number of “God”. The primary purpose of the backdoor appears to be DDoS.
Godlua Backdoor: Details
According to Qihoo 360 researchers, there are two versions of Godlua:
Version 201811051556 is obtained by traversing Godlua download servers and there has been no update on it. Version 20190415103713 ~ 2019062117473 is active and is actively being updated. They are all written in C, but the active one supports more computer platforms and more features.
The malware was discovered on April 24 this year, when the researchers’ threat detection system detected a suspicious ELF file, which was marked by other security vendors as a mining Trojan. The mining functionality currently can’t be confirmed unlike the DDoS which is already in use.
The most interesting fact about the Godlua backdoor is that it has a redundant communication mechanism used for the command and control (c2) connection. It is a combination of hardcoded DNS name, Pastebin.com, GitHub.com and a DNS TXT which are used to store the c2 address. This behavior is rarely seen in any malware. Furthermore, the backdoor utilizes HTTPS download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2, the researchers reported.
As already mentioned, the primary purpose of Godlua appears to be related to DDoS attacks. It has already been detected in active campaigns in an HTTP flood attack against the liuxiaobei[.]com domain.
The researchers need to see more of Godlua to be able to determine the way the backdoor infects its targets. So far the only thing that is known is that the malware uses the so-called Confluence exploit (CVE-2019-3396) to target Linux users.
CVE-2019-3396 is a vulnerability that resides in the Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).
The vulnerability allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection, as explained in the official advisory.
The researchers’ suggestion is to at least “monitor and block the relevant IP, URL and domain name of Godlua Backdoor on your network”. Full technical disclosure of Godlua backdoor is available.