A gang of cybercriminals known as ChamelGang was seen using a previously undocumented rig to compromise Linux systems, marking a new expansion of this group’s capabilities.
The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS tunneling (DoH).
ChamelGang was discovery for the first time by Russian cybersecurity firm Positive Technologies in September 2021, detailing its attacks on fuel, energy and aviation manufacturing industries in Russia, the United States, India, Nepal, Taiwan and Japan.
The series of attacks exploited vulnerabilities in Microsoft Exchange servers and the Red Hat JBoss Enterprise application to gain initial access and carry out data theft attacks using a passive backdoor called DoorMe.
“This is a native IIS module that registers as a filter through which HTTP requests and responses are processed,” Positive Technologies said at the time. “Its principle of operation is unusual: the backdoor processes only those requests in which the correct cookie parameter is set.”
The Linux backdoor discovered by Stairwell, for its part, is designed to capture system information and is capable of remote access operations such as file uploads, downloads, deletions and execution of shell commands.
The uniqueness of ChamelDOH
What makes ChamelDoH unique is its new communication method using DoH, which is used to perform Domain Name System (DNS) resolution via HTTPS protocol, to send DNS TXT requests to a shady name server.
“Due to the fact that these DoH providers are commonly used as DNS servers [cioè, Cloudflare e Google] for legitimate traffic, they cannot be easily blocked enterprise-wide,” said Stairwell researcher Daniel Meyer.
Using DoH for command and control (C2) also offers additional benefits for attackers as requests cannot be intercepted via an adversary-in-the-middle (AitM) attack due to the use of the HTTPS protocol.
This also means that security solutions cannot identify and disallow malicious DoH requests and disrupt communications, turning them into an encrypted channel between a compromised host and the C2 server.
“The result of this tactic [chamelDOH] is similar to C2 via domain fronting, where traffic is sent to a legitimate service hosted on a CDN, but redirected to a C2 server via the request’s Host header – both detection and prevention are difficultMayer explained.
The California-based cybersecurity firm said it has detected a total of 10 ChamelDoH samples on VirusTotal, one of which was uploaded on December 14, 2022.
The latest findings show that the “group has also spent a lot of time and effort researching and developing an equally robust toolset for Linux intrusions,Mayer said.
ChamelDOH and Linux Security: Should You Worry?
Fortunately no.
As always, most issues can be mitigated through healthy computer and browsing habits.
With the growing popularity of Linux, the “strange” links where you can download all sorts of crap also increase.
It is therefore important to maintain “good” behavior in terms of navigation and be careful what you download, consequently be careful what you do and possibly update the operating system when necessary.
#ChamelDOH #Linux #DNSOVERHTTP #backdoor