Security News > 2023 > June > Chinese hackers use DNS-over-HTTPS for Linux malware communication
The Chinese threat group 'ChamelGang' infects Linux devices with a previously unknown implant named 'ChamelDoH,' allowing DNS-over-HTTPS communications with attackers' servers.
The link between ChamelGang and the new Linux malware is based on a domain previously associated with the threat actor and a custom privilege elevation tool observed by Positive Technologies in past ChamelGang campaigns.
DNS queries are sent as unencrypted, plain text, allowing organizations, ISPs, and others to monitor the DNS requests.
This is a double-edged sword, as malware can use it as an effective encrypted communication channel, making it harder for security software to monitor for malicious network communication.
In the case of ChamelDoH, DNS-over-HTTPS provides encrypted communication between an infected device and the command and control server, making malicious queries indistinguishable from regular HTTPS traffic.
DoH can help bypass local DNS servers by using DoH-compatible servers provided by reputable organizations, which was not seen in this case.
News URL
Related news
- Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Chinese hackers breached T-Mobile's routers to scope out network (source)
- Researchers discover first UEFI bootkit malware for Linux (source)
- BootKitty UEFI malware exploits LogoFAIL to infect Linux systems (source)
- Researchers Uncover 4-Month Cyberattack on U.S. Firm Linked to Chinese Hackers (source)
- U.S. org suffered four month intrusion by Chinese hackers (source)
- Chinese hackers use Visual Studio Code tunnels for remote access (source)
- U.S. Charges Chinese Hacker for Exploiting Zero-Day in 81,000 Sophos Firewalls (source)
- ZLoader Malware Returns With DNS Tunneling to Stealthily Mask C2 Comms (source)