“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
DNS is critical to the operational infrastructure of the internet. It is a protocol created to store records that translate between easier-to-remember domain names and harder-to-remember IP addresses. The security community is concerned when threat campaigns like Godlua abuse a level-of-trust that all systems need in basic networking. That concern goes beyond how threat actors can abuse DNS to reroute activity to an attacker-controlled infrastructure.
Godlua is malware that acts like a backdoor. It is used in DDoS attacks. Godlua exploits the DNS over HTTPS (DoH) protocol. It uses DoH requests to obtain a domain name text record, determine where the URL of the subsequent command and control (C2) server is stored, and where the malware is supposed to connect for further instructions. Godlua allows DNS requests to be sent via an encrypted connection rather than a classic cleartext UDP connection. By exploiting DNS over HTTPS Godlua secures the communication between botnets, Web Servers and the C2. (Source: Netlab - An Analysis of Godlua Backdoor, July 1, 2019)
Traditional DNS data makes up a core component in how numerous security sensors capture information, how networking systems use fielded data to satisfy actions based on security configurations, and how analysts organize data to be used in security investigations. Security analysts have expressed fears that other malware strains will exploit DNS over HTTPS. This will render cyber-security products relying on passive DNS monitoring useless.