New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS [www.bleepingcomputer.com]
An Analysis of Godlua Backdoor [blog.netlab.360.com]
A lot of SOCs rely on DNS requests to malicious domains as an early and low-false-positive indication of compromise. If they don't have visibility into DoH, they'll go dark(er) soon as malware starts taking advantage of it. https://t.co/9ULx3vYV4h
— Wesley McGrew (@McGrewSecurity) July 3, 2019
New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS https://t.co/LEomNtBNot
— The Cyber Security Hub (@TheCyberSecHub) July 3, 2019
New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS https://t.co/bWreBwlOQT
— Nicolas Krassas (@Dinosn) July 3, 2019
This is the first analysis of malware leveraging DNS over HTTPS I've seen - https://t.co/LcClinudzt
— Nick Biasini (@infosec_nick) July 2, 2019
Godlua Linux malware that engages in cryptomining and DDoS first to use DNS-over-HTTPS to get C&C server name https://t.co/aW9zqCd5P5 pic.twitter.com/plvWM7cjvh
— Virus Bulletin (@virusbtn) July 3, 2019
Ula Badula it's time for #Godlua:
— Odisseus (@_odisseus) July 3, 2019
- first-ever malware abusing new DoH (DNS over HTTPS) protocol
- it's a DDoS bot
- it's Lua-based backdoor
- targets Linux servers via Confluence exploit CVE-2019-3396
via @360Netlab @zom3y3
cc: @0xrb https://t.co/vh6csqfbdj pic.twitter.com/X0ZAkOaT6R
An Analysis of Godlua Backdoor - 360 Total Security https://t.co/o1tsfahR9m via @nuzzel thanks @stvemillertime
— alexander knorr (@opexxx) July 3, 2019
New Linux/Windows malware that abuses "DNS over HTTPS" protocol.#Godlua #IOC #MD5 #UNIX #Linux #Malware
— Frankie McEyes (@theVirus00) July 3, 2019
Samples:https://t.co/CER0l7q8eN
Article:https://t.co/P00YoYnVWe
First malware known to have used DNS over HTTPS - passive network visibility go *pooof* https://t.co/y5ZWWLzNO7
— /r/netsec (@_r_netsec) July 3, 2019
Our latest blog, Godlua Backdoor, it is something a little bit special, it uses a combination of hardcoded dns name, https://t.co/NMcKWbKudp, https://t.co/bNJuBoDSyo as well as DNS TXT to store the C2 address, which is something we don't see often. https://t.co/J7U0ggNPgs
— 360 Netlab (@360Netlab) July 1, 2019
First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol
— Catalin Cimpanu (@campuscodi) July 3, 2019
- malware is named Godlua
- it's a DDoS bot
- targets Linux servers via Confluence exploit CVE-2019-3396https://t.co/L4AWjx5SrX pic.twitter.com/pfICAUx0Om
A lot of SOCs rely on DNS requests to malicious domains as an early and low-false-positive indication of compromise. If they don't have visibility into DoH, they'll go dark(er) soon as malware starts taking advantage of it. https://t.co/9ULx3vYV4h
— Wesley McGrew (@McGrewSecurity) July 3, 2019
First-ever malware strain spotted abusing new #DoH (DNS over HTTPS) protocol | #Godlua #linux #netsec #malware | https://t.co/3ZEe1jq6li
— ⌈Phusion⌉ (@phusion) July 3, 2019
Not terribly surprising, but notable: "First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol” by @campuscodi https://t.co/AlpMh4bMpn
— Joseph Lorenzo Hall, PhD (@JoeBeOne) July 3, 2019
"Security researchers from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360, have discovered the first ever malware strain seen abusing the DNS over HTTPS (DoH) protocol."https://t.co/k9b3BNPxGu#CyberSecurity #Tech #Technology #Malware
— US Cybersecurity Mag. (@USCyberMag) July 3, 2019
First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol https://t.co/gQjH11UkXk by @campuscodi
— ZDNet (@ZDNet) July 3, 2019
First-Ever Malware Strain Spotted Abusing New DoH Protocol https://t.co/qijJAGxJ4q #news
— packet storm (@packet_storm) July 3, 2019
Crooks are always one step ahead apparently... First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol https://t.co/mtHtbQA3uG
— Paolo Passeri (@paulsparrows) July 3, 2019
"Security researchers from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360, have discovered the first ever malware strain seen abusing the DNS over HTTPS (DoH) protocol."https://t.co/nWjVuQL9jq
— ?? ?? (@0x2AE) July 3, 2019