uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-06-17 21:43:06

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Covert CnC with a New Linux Backdoor Using DNS-over-HTTPS Tunneling

dp4vP9D.png
A new development in the capabilities of the threat actor known as ChamelGang is the observation of the threat actor using a previously unreported implant to backdoor Linux systems.

Stairwell has given the malware the moniker ChamelDoH. It is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling.

In September 2021, the Russian cybersecurity company Positive Technologies revealed ChamelGang for the first time, detailing its attacks on the countries of Russia, the US, India, Nepal, Taiwan, and Japan that produce fuel, energy, and aviation.

In order to gain initial access and conduct data theft attacks using a passive backdoor called DoorMe, attack chains mounted by the actor have taken advantage of vulnerabilities in Red Hat JBoss Enterprise Application and Microsoft Exchange servers.

Positive Technologies declared at the time that "this is a native IIS module that is registered as a filter through which HTTP requests and responses are processed.". The backdoor only processes requests with the right cookie parameter set, which is an unusual way for it to operate. ".

For its part, the Linux backdoor found by Stairwell is intended to gather system data and has the ability to perform remote access tasks like file upload, download, deletion, and shell command execution.

Backdoor for Linux.
DoH, which is used to carry out Domain Name System (DNS) resolution via the HTTPS protocol, is used by ChamelDoH to send DNS TXT requests to a malicious nameserver. This novel communication technique makes ChamelDoH stand out.

As widely used DNS servers, these DoH providers [i.
e.
For legitimate traffic, [Cloudflare and Google] cannot be easily blocked enterprise-wide, according to Stairwell researcher Daniel Mayer.

Because HTTPS is used, requests made using DoH for command-and-control (C2) cannot be intercepted by an adversary-in-the-middle (AitM) attack. This provides the threat actor with additional advantages.
This implies that malicious DoH requests cannot be recognized and blocked by security tools, which would then cut off communication and convert it to an encrypted channel between a compromised host and the C2 server.

The outcome of this tactic is comparable to C2 via domain fronting, where traffic is sent to an actual service hosted on a CDN but is instead forwarded to a C2 server via the request's Host header - both detection and prevention are challenging, according to Mayer.

A total of 10 ChamelDoH samples were found on VirusTotal, according to the California-based cybersecurity company, one of which was uploaded on December 14, 2022.

According to the most recent research, "the group has also committed significant time and effort to researching and developing an equally robust toolset for Linux intrusions," Mayer said.

Offline

Board footer

Powered by FluxBB