An Analysis of Godlua Backdoor | xxxAn Analysis of Godlua Backdoor – xxx
菜单






An Analysis of Godlua Backdoor

七月 1, 2019 - 360netlab

Background

On April 24, 2019, our Unknown Threat Detection System highlighted a suspicious ELF file which was marked by a few vendors as mining related trojan on VT. We cannot confirm it has mining related module, but we do see it starts to perform DDoS function recently.

The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.

Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often. At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.

We noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.

Overview

At present, we see that there are two versions of Godlua. Version 201811051556 is obtained by traversing Godlua download servers and there has been no update on it. Version 20190415103713 ~ 2019062117473 is active and is actively being updated. They are all written in C, but the active one supports more computer platforms and more features. The following is a comparison.

Godlua Backdoor Reverse Analysis

version 201811051556

This is the version we found earlier (201811051556). It focuses on the Linux platform and supports two kinds of C2 instructions, to execute Linux system commands and to run custom files.

Sample information

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.32, dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped

C2 redundant mechanism

This version perform C2 communications in two ways, hardcoded domain name and Github link.

Its hardcoded C2 domain is: d.heheda.tk

It also has a Github page and the real C2 address is encrypted in the project description.

C2 instruction

cmd_call, execute Linux system commands

cmd_shell, execute custom file

C2 protocol analysis

Packet format
LengthTypeData
Little endian,2 bytes1 bytes(Length -3) bytes
Encryption Algorithm

XOR’s Key is randomly generated of 16 bytes of data, the algorithm is as follow:

Packet Overview

cmd_handshake
packet[0:31]: 24 00 02 ec 86 a3 23 fb d0 d1 e9 e8 5f 23 6f 6d 70 b5 95 24 44 e0 fc 2e 00 00 00 6c 69 6e 75 78 2d 78 38 36  Length: packet[0:1]               --->0x0024 Type: packet[2]                 --->0x02,handshake Data: packet[3:31]             Data             Data[0:15]                  ---->xor key             Data[16:23]                 ---->version,hardcoded,little endian.             Data[24:31]                 ---->arch,hardcoded.
cmd_heartbeat
packet[0:10]: 0b 00 03 87 19 45 cb 91 d1 d1 a9  Length:    packet[0:1]                 --->0x000b Type:    packet[2]                   --->0x03,heartbeat Data:    packet[3:10]                --->xored clock64()

version 20190415103713 ~ 20190621174731

This active version runs on both Windows and Linux.
The control module is implemented in Lua and five C2 commands are supported

Sample information

version 20190415103713

ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped

version 20190621174731

ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped

C2 redundant mechanism

Stage-1 URL

The backdoor uses 3 different ways to store the Stage-1 URL. hardcoded ciphertext, Github project description, and Pastebin text.
After the Stage-1 URL is retrieved and decrypted, a start.png file will be downloaded, which is actually a Lua bytecode.
The Bot then loads it into memory and executes it to get the Stage-2 URL.

Encryption Algorithm
Hard coded ciphertext

version 20190415103713

version 20190621174731

Github project description
Pastebin text

Stage-2 URL

Here at stage-2, two mechanisms are being used for storing the Stage-2 URL, Github project file and DNS over HTTPS.
After the Stage-2 URL is retrieved and decrypted, a run.png file, also a Lua bytecode, will be downloaded.
Bot will load this file into memory and run it to get Stage-3 C2.

Encryption Algorithm
Github project description
DNS TXT

Stage-3 C2

Stage-3 C2 is hardcoded in the Lua byte-code file (run.png). We disassembled it to get the following information.

version 20190415103713

version 20190621174731

DNS Over HTTPS Request

C2 instruction
| CMD       | Type | | --------- | ---- | | HANDSHAKE | 1    | | HEARTBEAT | 2    | | LUA       | 3    | | SHELL     | 4    | | UPGRADE   | 5    | | QUIT      | 6    | | SHELL2    | 7    | | PROXY     | 8    |
C2 protocol analysis

Packet format

TypeLengthData
1byteBig endian,2 bytesLength bytes
Packet overview
Type: packet[0]  --->0x01,HANDSHAKE LENGTH: packet[1:2]  --->0x0010 Data: packet[3:end]             data[0:7]   --->Session             data[8:end]   --->version,0x00125cfecd8bcb->20190621174731

We observe the attacker performing a HTTP Flood attack against www.liuxiaobei.com.

Lua script analysis

The Bot sample downloads many Lua scripts when executing, and the scripts can be broken down to three categories: execute, auxiliary, and attack.

Encryption Algorithm
Lua magic number

The decrypted files are all pre-compiled, take upgrade.png as an example, note the highlighted part is the file header.
You can see that the magic number has changed from “Lua” to “God”.

The malware author also seems to set a trap for researcher here by manually changing the LuaVerion number in the sample to 5.1.4 ($LuaVersion: God 5.1.4 C$$LuaAuthors: R. $). We think the real version should be definitely newer than 5.2.

Decompile

In order to decompile the above script, we have to know what changes have been made to Lua. After some analysis, we concluded that the modification can be divided into two major sections: Lua Header and Lua Opcode.

Decompiled by Luadec[1]

Suggestions

We have yet to see the whole picture of how exactly the Godlua backdoor infects the targets, at this point we know at least some linux users were infected via the Confluence exploit(CVE-2019-3396), if our readers have more information, feel free to contact us.

We suggest that at least to monitor and block the relevant IP, URL and domain name of Godlua Backdoor on your network.

Contact us

Readers are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.

IoC list

Sample MD5

870319967dba4bd02c7a7f8be8ece94f c9b712f6c347edde22836fb43b927633 75902cf93397d2e2d1797cd115f8347a

URL

https://helegedada.github.io/test/test https://api.github.com/repos/helegedada/heihei http://198.204.231.250/linux-x64 http://198.204.231.250/linux-x86 https://dd.heheda.tk/i.jpg https://dd.heheda.tk/i.sh https://dd.heheda.tk/x86_64-static-linux-uclibc.jpg https://dd.heheda.tk/i686-static-linux-uclibc.jpg https://dd.cloudappconfig.com/i.jpg https://dd.cloudappconfig.com/i.sh https://dd.cloudappconfig.com/x86_64-static-linux-uclibc.jpg https://dd.cloudappconfig.com/arm-static-linux-uclibcgnueabi.jpg https://dd.cloudappconfig.com/i686-static-linux-uclibc.jpg http://d.cloudappconfig.com/i686-w64-mingw32/Satan.exe http://d.cloudappconfig.com/x86_64-static-linux-uclibc/Satan http://d.cloudappconfig.com/i686-static-linux-uclibc/Satan http://d.cloudappconfig.com/arm-static-linux-uclibcgnueabi/Satan https://d.cloudappconfig.com/mipsel-static-linux-uclibc/Satan

C2 Domain

d.heheda.tk dd.heheda.tk c.heheda.tk d.cloudappconfig.com dd.cloudappconfig.com c.cloudappconfig.com f.cloudappconfig.com t.cloudappconfig.com v.cloudappconfig.com img0.cloudappconfig.com img1.cloudappconfig.com img2.cloudappconfig.com

IP

198.204.231.250      United States        ASN 33387            DataShack, LC        104.238.151.101      Japan                ASN 20473            Choopa, LLC          43.224.225.220       Hong Kong            ASN 22769            DDOSING NETWORK







Notice: Undefined variable: canUpdate in /var/www/html/wordpress/wp-content/plugins/wp-autopost-pro/wp-autopost-function.php on line 51