Netlab researchers identified a new Lua-based backdoor malware, dubbed “Godlua,” which is the first known malware to exploit the DNS over HTTPS (DoH) protocol. The malware uses DoH requests to obtain a domain name text record, determine where the URL of the subsequent command and control (C2) server is stored, and where the malware is supposed to connect for further instructions. Godlua’s main function is believed to cause DDoS attacks, as was perceived by the researchers during an HTTP flood attack. Two variants of the malware were found, one targeting Linux (version 201811051556) and the other targeting both Linux and Windows systems (version 20190415103713 ~ 2019062117471) which is implemented in Lua. The latter version strings are continually being updated and contains multiple built-in commands. The technique of using DoH obfuscates requests through encryption, rendering security tools useless.

  • Network Security Research Lab provides technical details and analysis here.

  • For further reporting and technical information please see Security Affairs article, here