Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication

Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication

ChamelGang, a sophisticated threat actor believed to be based in China, has been using different tools for intrusions, as identified by the security researchers at Stairwell Threat Research in their recent investigation.

While apart from this, the Threat Research team of Stairwell also found new tools for Linux intrusions that are developed by the group.

ChamelDoH is one of the best instances for this, as it facilitates communication through DNS-over-HTTPS (DoH) tunneling, and it’s an implant that is mainly developed using C++.

Chinese Hackers Targets

The countries listed below have experienced instances of ChamelGang targeting their energy, aviation, and government organizations in the past:-

Russia

The United States

Japan

Turkey

Taiwan

Vietnam

India

Afghanistan

Lithuania

Nepal

DNS-over-HTTPS for Linux Malware

By identifying a domain and tool previously encountered in ChamelGang campaigns, Positive Technologies established the association between ChamelGang and the recently discovered Linux malware.

For remote access to the system, the sample (34c19cedffe0ee86515331f93b130ede89f1773c3d3a2d0e9c7f7db8f6d9a0a7) is primarily designed, and it’s a large C++ binary.

The sample utilizes DoH tunneling to establish a communication channel with the configured command-and-control (C2) infrastructure.

To encode its communication, the sample employs a modified base64 alphabet, transforming it into subdomains that are directed to a nameserver under the control of the malicious actor.

When the implant is executed, it immediately employs several systems calls to collect reconnaissance data and compile it into a JSON object.

Here below, we have mentioned all the details that are gathered by ChamelDoH when it’s executed:-

host_name: System hostname

ip: Any IP address for an interface that is not 127.0.0.1

system_type: sysname parsed from the system’s utsname struct, i.e. Linux

system_version: version parsed from the system’s utsname struct,

i.e. #43-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 18:21:28 UTC 2023

whoami: The user context that ChamelDoH is running under

process_pid: The process ID of the ChamelDoH process

bits: The bitness of the system, i.e. x86_64

pwd: The working directory of the ChamelDoH process

id: A pseudo-randomly generated integer generated by ChamelDoH that is used as an implant ID

ChamelDoH distinguishes itself through its original approach to command-and-control (C2) techniques.

While besides this, two keys are used in the JSON object to define the implant’s command-and-control (C2) configuration.

Here the sample contains the following configuration:-

With the help of the configuration, the implant establishes communication with malicious nameservers using DoH requests. 

It encodes its command-and-control (C2) communications as subdomains and initiates TXT requests for the encoded C2 communications within the domain it generates.

Blocking these DoH providers across the entire enterprise is difficult due to their widespread use as DNS servers for legitimate traffic.

Inspecting these requests without intercepting the traffic becomes challenging due to HTTPS, making it difficult for defenders to identify which domain requests are being made via DoH.

This poses a challenge in detecting or obstructing abnormal network traffic, such as the encoded communications utilized by ChamelDoH.

The consequence of this strategy resembles C2 communication through domain fronting, where traffic is initially directed to a legitimate service hosted on a content delivery network (CDN). 

However, it is rerouted to a C2 server using the request’s Host header. While this makes the detection and prevention of this technique completely challenging tasks.

To maintain confidentiality, ChamelDoH uses AES128 encryption to secure its communication. The encrypted data is then transformed into base64 format, allowing it to be inserted as a subdomain.

Capabilities

The implant can perform several types of tasks, and here below, we have mentioned them all along with their commands:-

run: Execute a file/shell command

sleep: Set number of seconds until next check-in

wget: Download a file from a URL

upload: Read and upload a file

download: Download and write a file

rm: Delete a file

cp: Copy a file to a new location

cd: Change the working directory

Moreover, ongoing analysis is being conducted by the Stairwell Threat Research team to examine ChamelDoH and other tools utilized by ChamelGang, which were previously unidentified.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus

The post Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication appeared first on Cyber Security News.

   Read More 

Cyber Security News