Godlua
Godlua is a backdoor malware that allows attackers to access a secure system, network or server. Godlua is the introductory malware using DNS over HTTPS (DoH) to communicate with its C2 servers. The Godlua malware is named such by the researchers that discovered it since the Lua byte-code file it loads has a "magic number" of "g o d." The Godlua malware targets both Linux-based, as well as Windows systems. Godlua has been detected in two flavors: one for Linux and the other for Windows. Godlua malware's style of attack can be characterized as a Distributed Denial of Service (DDoS) attack.
The Godlua malware is interesting and unique in that it has multiple ways to communicate with C2 servers. It uses hardcoded DNS names, DNS TXT, and stored addresses on Pastebin.com and GitHub.com. It uses HTTPS to download Lua files, then uses DoH to get the correct C2 name and establish communication.
Currently, two versions of Godlua have been detected:
- Version 201811051556, which can be found on the Godlua download servers. This version attacks Linux boxes and is written in C. It uses the following commands:
- cmd_call
- cmd_shel - Version 20190415103713 ~ 2019062117473, which is active in the wild currently and is updated from time to time. It also is written in C and uses a Lua control implementation. This version can attack both Linux and Windows machines and uses the following commands:
- lua
- shell
- shell2
- proxy
- upgrade
Sample 1 (version 201811051556):
MD5: 870319967dba4bd02c7a7f8be8ece94f
ELF 32-bit LSB executable
C2 Communication: Hardcoded Domain, GitHub Link
C2 Domain: d.heheda.tk
GitHub Link: https://api.github.com/repos/helegedada/heihei
C2 Commands: cmd_call, cmd_shell
C2 Packet Format:
- Length: Little endian (2 bytes)
- Type: 1 byte
- Data: (Length - 3) bytes
Sample 2 (version 20190415103713):
MD5: c9b712f6c347edde22836fb43b927633
ELF 64-bit LSB executable
Sample 3 (version 20190621174731):
MD5: 75902cf93397d2e2d1797cd115f8347a
ELF 64-bit LSB executable
Sample 4 (version 20190415103713 ~ 20190621174731):
C2 Communication: Hardcoded Domain, GitHub Link, Pastebin Link, DNS TXT
C2 Domain: d.heheda.tk
GitHub Link: https://api.github.com/repos/helegedada/heihei
Pastebin Link: https://pastebin.com/raw/vSDzq3Md
C2 Commands: handshake, heartbeat, lua, shell, upgrade, quit, shell2, proxy
C2 Packet Format:
- Length: Big endian (2 bytes)
- Type: 1 byte
- Data: Length bytes
Encryption Algorithm
AES, CBC Mode
key: 13 21 02 00 31 21 94 E2 F2 F1 35 61 93 4C 4D 6A
iv: 2B 7E 15 16 28 AE D2 01 AB F7 15 02 00 CF 4F 3C
IoC list:
870319967dba4bd02c7a7f8be8ece94f
c9b712f6c347edde22836fb43b927633
75902cf93397d2e2d1797cd115f8347a
Links:
https://helegedada.github.io/test/test
https://api.github.com/repos/helegedada/heihei
http://198.204.231.250/linux-x64
http://198.204.231.250/linux-x86
https://dd.heheda.tk/i.jpg
https://dd.heheda.tk/i.sh
https://dd.heheda.tk/x86_64-static-linux-uclibc.jpg
https://dd.heheda.tk/i686-static-linux-uclibc.jpg
https://dd.cloudappconfig.com/i.jpg
https://dd.cloudappconfig.com/i.sh
https://dd.cloudappconfig.com/x86_64-static-linux-uclibc.jpg
https://dd.cloudappconfig.com/arm-static-linux-uclibcgnueabi.jpg
https://dd.cloudappconfig.com/i686-static-linux-uclibc.jpg
http://d.cloudappconfig.com/i686-w64-mingw32/Satan.exe
http://d.cloudappconfig.com/x86_64-static-linux-uclibc/Satan
http://d.cloudappconfig.com/i686-static-linux-uclibc/Satan
http://d.cloudappconfig.com/arm-static-linux-uclibcgnueabi/Satan
https://d.cloudappconfig.com/mipsel-static-linux-uclibc/Satan
C2 Domains:
d.heheda.tk
dd.heheda.tk
c.heheda.tk
d.cloudappconfig.com
dd.cloudappconfig.com
c.cloudappconfig.com
f.cloudappconfig.com
t.cloudappconfig.com
v.cloudappconfig.com
img0.cloudappconfig.com
img1.cloudappconfig.com
img2.cloudappconfig.com
IPs:
198.204.231.250 United States ASN 33387 DataShack, LC
104.238.151.101 Japan ASN 20473 Choopa, LLC
43.224.225.220 Hong Kong ASN 22769 DDOSING NETWORK
