ChamelDoH: New Linux Backdoor Leverages DNS-over-HTTPS Tunneling for Covert CnC
The threat actor known as Chamel Gang has been observed using previously undocumented implants into backdoor Linux systems, marking a new expansion of threat actor capabilities.
Malware, dubbed ChamelDoH by Stairwell, is a C++ based tool for communicating over DNS-over-HTTPS (DoH) tunneling.
ChamelGang was first disclosed by Russian cybersecurity firm Positive Technologies in September 2021, detailing its attacks on the fuel, energy and aviation production industries in Russia, US, India, Nepal, Taiwan and Japan.
The actor’s attack chain has exploited vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Applications to gain early access and carry out data theft attacks using a passive backdoor called DoorMe.
“This is a native IIS module registered as a filter where HTTP requests and responses are processed,” said Positive Technologies at the time. “Its operating principle is unusual: the backdoor only processes requests that set the correct cookie parameters.”
The Linux backdoor invented by Stairwell, for his part, is designed to capture system information and is capable of performing remote access operations such as uploading, downloading, deleting and executing shell commands.
What makes ChamelDoH unique is its new method of communication using DoH, which is used to perform Domain Name System (DNS) resolution over the HTTPS protocol, to send TXT DNS requests to a bastard server name.
“Because these DoH providers typically use DNS servers (i.e., Cloudflare and Google) for legitimate traffic, they cannot easily be blocked enterprise-wide,” said Stairwell researcher Daniel Mayer.
Using DoH for command-and-control (C2) also offers the additional benefit to threat actors in that requests cannot be intercepted via adversary-in-the-middle (AitM) attacks due to the use of the HTTPS protocol.
🔐 Mastering API Security: Understanding Your True Attack Surface
Find untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
It also means that the security solution is unable to identify and ban malicious DoH requests and cuts off the communication, turning it into an encrypted channel between the compromised host and the C2 server.
“The outcome of this tactic is similar to C2 via fronting domains, where traffic is sent to an authorized service hosted on a CDN, but is routed to C2 servers via request Host headers – detection and prevention is difficult,” explains Mayer.
The California-based cybersecurity firm says it has detected a total of 10 ChamelDoH samples on VirusTotal, one of which was uploaded back on December 14, 2022.
The latest findings show that “the group has also devoted a great deal of time and effort to researching and developing equally powerful toolset for Linux intrusions,” Mayer said.
