First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol

guest · Jul 3, 2019

First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol
Godlua, a Linux DDoS bot, is the first-ever malware strain seen using DoH to hide its DNS traffic
July 3, 2019
https://www.zdnet.com/article/first...tted-abusing-new-doh-dns-over-https-protocol/

Security researchers from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360, have discovered the first ever malware strain seen abusing the DNS over HTTPS (DoH) protocol.
The malware, named Godlua, was detailed in a report published on Monday by the company's researchers.
DOH HELPS MALWARE AVOID PASSIVE DNS MONITORING
Researchers say they've spotted two Godlua versions so far, with a somewhat similar architecture. Both versions used DNS over HTTPS requests to retrieve the TXT (text record) of a domain name, where the URL of a subsequent command and control (C&C) server was being stored, and to which the Godlua malware was supposed to connect for further instructions.

The DoH (DNS) request is encrypted and invisible to third-party observers, including cyber-security software that relies on passive DNS monitoring to block requests to known malicious domains.
Click to expand...

LOOMING PROBLEM FOR CYBER-SECURITY COMMUNITY
The discovery that Godlua uses DoH to hide DNS traffic sent shockwaves through the cyber-security community this week, with many reacting on both Twitter [1, 2] and Reddit.

Their fear is justified; however, the cyber-security community has always found workarounds to any tricks malware employs, and it's expected they'll find one to deal with any strains that use DoH, as well.
Click to expand...

itman · Jul 3, 2019

Dang! I just enabled DoH in FireFox.

guest · Aug 4, 2020

Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)
Kaspersky says Oilrig (APT34) group has been using DoH to silently exfiltrate data from hacked networks
August 4, 2020
https://www.zdnet.com/article/irani...st-known-apt-to-weaponize-dns-over-https-doh/

An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.

According to Diaz, Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.
DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols.
Click to expand...

Oilrig is most likely using DoH as an exfiltration channel to avoid having its activities detected or monitored while moving stolen data.
This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it's a new protocol that not all security products are capable of monitoring. Second, it's encrypted by default, while DNS is cleartext.
OILRIG HAS A HISTORY WITH DNS EXFILTRATION CHANNELS
The fact that Oilrig was one of the first APTs (Advanced Persistent Threats -- a term used to describe government-backed hacking groups) to deploy DoH is also not a surprise.
Historically, the group has dabbled with DNS-based exfiltration techniques. [...]
Click to expand...

But while Oilrig is the first publicly reported APT to use DoH, it is now the first malware operation to do so, in general. Godlua, a Lua-based Linux malware strain was the first to deploy DoH as part of its DDoS botnet in July 2019, according to a report from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360.
Click to expand...

xxJackxx · Aug 6, 2020

Seems like an exaggerated situation to me. Words like weaponizing and abusing seem over the top. They are taking advantage of the technology for sure. It seems like the lesser of your problems at the point at which it would matter.

Log in or Sign up

First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol

guest Guest

itman Registered Member

guest Guest

xxJackxx Registered Member

Log in or Sign up

First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol

guest Guest

itman Registered Member

guest Guest

xxJackxx Registered Member

Useful Searches