Friday, 16 June 2023 13:15

DNS over HTTPS Tunneling Found in New Linux Backdoor from ChamelGang

Written by

Reading time is around minutes.

There is a new threat in town from the ChamelGang. This new threat is a Linux backdoor that just been identified and shows that the threat group is expanding their capabilities. Identified by Stairwell and dubber ChamelDoH (for DNS over HTTPS), this new malware is written in C++, which is not all that unusual even if the method of communication is not completely normal. ChamelGang was first identified in 2021 and was associated with attacks on energy, fuel, and aviation industries in multiple countries including the US, Russia, Nepal, Japan, Taiwan, and India.

Prior to the discovery of ChamelDoH they seemed to focus on Exchange and JBoss for access via Microsoft’s Internet Information Server. The backdoor in use at the time would register itself as an IIS filter for HTTP requests and responses. This allowed it to set a specific parameter that the module would respond to (a cookie parameter). This parameter setting has a good probability of allowing its operation to slide under the radar of detection software and hardware. It is not a 100% guarantee of remaining undetected, but it does provide some air cover and also makes sure that the backdoor only responds to the proper sources.

In the new backdoor, tunnels its DNS requests via HTTPS making the connection to the C2 servers less likely to be detected in normal DNS filters set up at the edge of a network, or setup on a particular system. Unless there is DPI or HTTPS inspection set up (which can be expensive and a pain in the ass to configure) the DNS tunneling request can bypass DNS checks on outbound traffic. It is a rather clever use of a common tool (like using loopback for lookup requests in the past). As DoH is also used for a large amount of legitimate traffic the use of DoH cannot just be blocked across an enterprise.

The backdoor itself is of the usual type. It can gather information, allow remote access, can access files and folders (including both upload and download). So, this is not a groundbreaking backdoor although the method of communication is. ChamelDoH does show us one thing though, it shows that threat actors across the board are diving deep into Linux and are actively expanding their capabilities to target and exploit this formerly ignored operating system vertical. Organizations are highly advised to treat all operating systems as open to compromise and take the proper steps to secure them. Failing to do so, or thinking that they Linux and/or macOS are somehow not open to attack is just leaving the door open for threat actors to get in.


Read 786 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.