A Lua-based backdoor malware capable of targeting both Linux and Windows users while securing its communication channels via DNS over HTTPS (DoH) was discovered by researchers at Network Security Research Lab of Qihoo 360.
DNS over HTTPS has been gaining momentum. Last October, the Internet Engineering Task Force formally adopted DoH, published as RCF 8484, and while the concept itself isn’t new, the concept of malware strains exploiting it is. In their report, Netlab researchers detected a suspicious ELF file, one that was originally thought to be a cryptocurrency mining Trojan.
While researchers haven’t confirmed or denied any cryptocurrency mining functionality, they have confirmed it behaves more like a DDoS bot. Researchers have observed that the file works as a “Lua-based backdoor” on infected systems, and have noted at least one DDoS attack levied against liuxiaobei.com. So far, researchers have spotted at least two versions out in the wild, both using DNS over HTTPS instead of a traditional DNS request.
Spoiler: there will be more. Lots, lots more. DoH is going to break a lot of security controls. https://t.co/Eo8QqP3Mmd
— Kevin Beaumont ? (@GossiTheDog) July 2, 2019
Many have expressed fears that other malware strains will now also adopt this feature, rendering a large chunk of cyber-security products that rely on passive DNS monitoring useless.
Their fear is justified; however, the cyber-security community has always found workarounds to any tricks malware employs, and it’s expected they’ll find one to deal with any strains that use DoH, as well.
More info on the DoH protocol can be found in the Internet Engineering Task Force’s (IETF) document RFC 8484.
Both Google and Mozilla have come out in support of the DoH protocol; Mozilla is currently testing DoH, and Google is now offering DoH as part of its public DNS service. Popular content delivery networks such as Cloudflare also offer DNS resolution over HTTPS.