Prior to the discovery of ChamelDoH they seemed to focus on Exchange and JBoss for access via Microsoft’s Internet Information Server. The backdoor in use at the time would register itself as an IIS filter for HTTP requests and responses. This allowed it to set a specific parameter that the module would respond to (a cookie parameter). This parameter setting has a good probability of allowing its operation to slide under the radar of detection software and hardware. It is not a 100% guarantee of remaining undetected, but it does provide some air cover and also makes sure that the backdoor only responds to the proper sources.

In the new backdoor, tunnels its DNS requests via HTTPS making the connection to the C2 servers less likely to be detected in normal DNS filters set up at the edge of a network, or setup on a particular system. Unless there is DPI or HTTPS inspection set up (which can be expensive and a pain in the ass to configure) the DNS tunneling request can bypass DNS checks on outbound traffic. It is a rather clever use of a common tool (like using loopback for lookup requests in the past). As DoH is also used for a large amount of legitimate traffic the use of DoH cannot just be blocked across an enterprise.

The backdoor itself is of the usual type. It can gather information, allow remote access, can access files and folders (including both upload and download). So, this is not a groundbreaking backdoor although the method of communication is. ChamelDoH does show us one thing though, it shows that threat actors across the board are diving deep into Linux and are actively expanding their capabilities to target and exploit this formerly ignored operating system vertical. Organizations are highly advised to treat all operating systems as open to compromise and take the proper steps to secure them. Failing to do so, or thinking that they Linux and/or macOS are somehow not open to attack is just leaving the door open for threat actors to get in.