Connect with us

Hi, what are you looking for?

Cyber Security

Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication

ChamelGang, a sophisticated threat actor believed to be based in China, has been using different tools for intrusions, as identified by the security researchers at Stairwell Threat Research in their recent investigation.

While apart from this, the Threat Research team of Stairwell also found new tools for Linux intrusions that are developed by the group.

ChamelDoH is one of the best instances for this, as it facilitates communication through DNS-over-HTTPS (DoH) tunneling, and it’s an implant that is mainly developed using C++.

Chinese Hackers Targets

The countries listed below have experienced instances of ChamelGang targeting their energy, aviation, and government organizations in the past:-

  • Russia
  • The United States
  • Japan
  • Turkey
  • Taiwan
  • Vietnam
  • India
  • Afghanistan
  • Lithuania
  • Nepal

DNS-over-HTTPS for Linux Malware

By identifying a domain and tool previously encountered in ChamelGang campaigns, Positive Technologies established the association between ChamelGang and the recently discovered Linux malware.

For remote access to the system, the sample (34c19cedffe0ee86515331f93b130ede89f1773c3d3a2d0e9c7f7db8f6d9a0a7) is primarily designed, and it’s a large C++ binary.

The sample utilizes DoH tunneling to establish a communication channel with the configured command-and-control (C2) infrastructure.

To encode its communication, the sample employs a modified base64 alphabet, transforming it into subdomains that are directed to a nameserver under the control of the malicious actor.

When the implant is executed, it immediately employs several systems calls to collect reconnaissance data and compile it into a JSON object.

Here below, we have mentioned all the details that are gathered by ChamelDoH when it’s executed:-

  • host_name: System hostname
  • ip: Any IP address for an interface that is not 127.0.0.1
  • system_type: sysname parsed from the system’s utsname struct, i.e. Linux
  • system_version: version parsed from the system’s utsname struct,
  • i.e. #43-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 18:21:28 UTC 2023
  • whoami: The user context that ChamelDoH is running under
  • process_pid: The process ID of the ChamelDoH process
  • bits: The bitness of the system, i.e. x86_64
  • pwd: The working directory of the ChamelDoH process
  • id: A pseudo-randomly generated integer generated by ChamelDoH that is used as an implant ID

ChamelDoH distinguishes itself through its original approach to command-and-control (C2) techniques.

While besides this, two keys are used in the JSON object to define the implant’s command-and-control (C2) configuration.

Here the sample contains the following configuration:-

With the help of the configuration, the implant establishes communication with malicious nameservers using DoH requests. 

It encodes its command-and-control (C2) communications as subdomains and initiates TXT requests for the encoded C2 communications within the domain it generates.

Blocking these DoH providers across the entire enterprise is difficult due to their widespread use as DNS servers for legitimate traffic.

Inspecting these requests without intercepting the traffic becomes challenging due to HTTPS, making it difficult for defenders to identify which domain requests are being made via DoH.

This poses a challenge in detecting or obstructing abnormal network traffic, such as the encoded communications utilized by ChamelDoH.

Advertisement. Scroll to continue reading.

The consequence of this strategy resembles C2 communication through domain fronting, where traffic is initially directed to a legitimate service hosted on a content delivery network (CDN). 

However, it is rerouted to a C2 server using the request’s Host header. While this makes the detection and prevention of this technique completely challenging tasks.

To maintain confidentiality, ChamelDoH uses AES128 encryption to secure its communication. The encrypted data is then transformed into base64 format, allowing it to be inserted as a subdomain.

Capabilities

The implant can perform several types of tasks, and here below, we have mentioned them all along with their commands:-

  • run: Execute a file/shell command
  • sleep: Set number of seconds until next check-in
  • wget: Download a file from a URL
  • upload: Read and upload a file
  • download: Download and write a file
  • rm: Delete a file
  • cp: Copy a file to a new location
  • cd: Change the working directory

Moreover, ongoing analysis is being conducted by the Stairwell Threat Research team to examine ChamelDoH and other tools utilized by ChamelGang, which were previously unidentified.

Copyright 2021 Associated Press. All rights reserved.

Source: https://cybersecuritynews.com/hackers-employed-dns-over-https/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO