threat actor known as chamel gang It has been observed to use a previously undocumented implant to backdoor Linux systems, demonstrating new and expanding capabilities for the threat actor.
called malware Chameldor A C++ based tool for communicating via DNS-over-HTTPS (DoH) tunneling by Stairwell.
ChamelGang was first exposed by Russian cybersecurity firm Positive Technologies in September 2021, revealing details of attacks against the fuel, energy and aviation production industries in Russia, the United States, India, Nepal, Taiwan and Japan.
The attack chain set by the attacker leveraged vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application to gain initial access and used a passive backdoor called DoorMe to perform data theft attacks.
“This is a native IIS module that registers as a filter with which HTTP requests and responses are processed,” Positive Technologies said at the time. “The way it works is unusual. The backdoor only processes requests that have the correct cookie parameters set.”
The Linux backdoor discovered by Stairwell is designed to obtain system information and allow remote access operations such as uploading, downloading, deleting files and executing shell commands.
What makes ChamelDoH unique is the new communication method sent using DoH, which is used to perform Domain Name System (DNS) resolution over the HTTPS protocol. DNS TXT request to the villain name server.
โBecause these DoH providers are commonly used as DNS servers, [i.e., Cloudflare and Google] If it’s legitimate traffic, it can’t be easily blocked enterprise-wide,” said Steerwell researcher Daniel Meyer.
Using DoH for command and control (C2) also provides an additional advantage for threat actors in that because it uses HTTPS, the requests cannot be intercepted by man-in-the-middle (AitM) attacks. protocol.
๐ Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
This also means that communication between compromised hosts and C2 servers becomes an encrypted channel as security solutions are unable to identify and ban malicious DoH requests and sever communication. .
โThe result of this tactic is similar to C2 via domain fronting: traffic is sent to a legitimate service hosted on a CDN, but redirected to the C2 server via the Host header of the request. Both detection and prevention are difficult,” Mayer explained.
A California-based cybersecurity firm announced that it detected a total of 10 ChamelDoH samples on VirusTotal, one of which was uploaded on December 14, 2022.
The latest findings show that “the group has also spent considerable time and effort researching and developing toolsets that are equally robust against Linux intrusions,” Mayer said.
