Godlua Malware Abuses DNS Over HTTPS

Researchers at Netlab identified a new backdoor malware, dubbed “Godlua,” which is the first to exploit the DNS over HTTPS (DoH) protocol. The malware uses DoH requests to: obtain a domain name text record, identify where the URL of the subsequent command and control (C2) server is stored, and determine where the malware is supposed to connect for further instructions. Two versions of the malware were found, one targeting Linux and the other targeting Linux and Windows systems. The technique of using DoH is beneficial for threat actors as these requests are encrypted and, therefore, invisible to security tools that rely on passive DNS monitoring to block known bad domains. The NJCCIC recommends users and administrators review the Netlab research and use the indicators of compromise (IoCs) provided to harden your network.

AlertNJCCICDNS, HTTPS, malware