Security researchers from 360 Netlab recently spotted a malware backdoor dubbed Godlua that targets Linux and Windows systems.
An excerpt of Godlua as described by Netlabs:
“Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often. At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.”
According to Netlabs, there are two different versions of Godlua. The first version (201811051556) targets Linux systems and supports two different kinds of C2 instructions. The malware then executes Linux commands and runs custom files.
The second version (20190415103713 and 20190621174731) is active and runs on both Windows and Linux. Also, the control module is developed in Lua and supports five command and control (C2) commands.
Netlabs also has not confirmed how Godlua infects its targets. However, the company did say some Linux systems were infected via a Confluence vulnerability exploit (CVE-2019-3396).