Godlua Backdoor

Godlua is a newly observed Lua-based backdoor, which leverages the DNS over HTTPS (DoH) protocol to secure its communications.

Threat ID:: CC-3134
Category:: Backdoor
Threat Severity:: Low
Threat Vector:
Published:: 4 July 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Godlua is a newly observed Lua-based backdoor, which leverages the DNS over HTTPS (DoH) protocol to secure its communications.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Linux - All versions
Atlassian Confluence Server:
- Versions prior to 6.6.12
- Versions 6.7.0 to 6.12.2
- Versions 6.13.x prior to 6.13.3
- Versions 6.14.x prior to 6.14.2

Threat details

At present this is the first malware seen using DoH to hide its DNS traffic.

At the time of publication, Godlua has been observed exploiting a Confluence server-side template injection vulnerability (CVE-2019-3396) to compromise systems. Once infected, attackers use the machine as part of an unnamed botnet to launch distributed denial-of-service attacks against targeted websites.

At present, two versions of Godlua have been observed. The older version targets Linux systems, whereas the newer version features additional Lua command and targets multiple platforms.

For further information:

CVE-2019-3396

Remediation steps

Type	Step
	To prevent and detect a malware infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a malware infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

CVE Vulnerabilities

Status

CVE-2019-3396

Last edited: 14 February 2020 2:49 pm