Security News > 2023 > June > ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC

The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actor's capabilities.

The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS tunneling.

Attack chains mounted by the actor have leveraged vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application to gain initial access and carry out data theft attacks using a passive backdoor called DoorMe.

The Linux backdoor discovered by Stairwell, for its part, is designed to capture system information and is capable of remote access operations such as file upload, download, deletion, and shell command execution.

What makes ChamelDoH unique is its novel communication method of using DoH, which is used to perform Domain Name System resolution via the HTTPS protocol, to send DNS TXT requests to a rogue nameserver.

The use of DoH for command-and-control also offers additional benefits for the threat actor in that the requests cannot be intercepted by means of an adversary-in-the-middle attack owing to the use of the HTTPS protocol.

News URL

https://thehackernews.com/2023/06/chameldoh-new-linux-backdoor-utilizing.html