First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol
A new report by Netlab describes the first ever malware campaign to take advantage of the DNS over HTTPS (DoH) protocol. The campaign revolves around Godlua, a sophisticated malware strain that targets outdated Linux servers. Godlua is a backdoor, but also functions as a distributed denial-of-service (DDoS) bot.
After infecting a system, the malware sends out DoH requests to obtain the text records of a domain containing the address of a command and control (C&C) server, to which Godlua will then connect so that the threat actors can send it instructions. While this indirect approach of connecting to a C&C server isn’t new, previous campaigns involved regular (unencrypted) DNS requests instead of encrypted DoH queries that can bypass DNS monitoring solutions.