June 16, 2023Ravi LakshmananEndpoint Security/Network Security

threat actor known as chamel gang It has been observed to use a previously undocumented implant to backdoor Linux systems, demonstrating new and expanding capabilities for the threat actor.

called malware Chameldor A C++ based tool for communicating via DNS-over-HTTPS (DoH) tunneling by Stairwell.

ChamelGang was first exposed by Russian cybersecurity firm Positive Technologies in September 2021, revealing details of attacks against the fuel, energy and aviation production industries in Russia, the United States, India, Nepal, Taiwan and Japan.

The attack chain set by the attacker leveraged vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application to gain initial access and used a passive backdoor called DoorMe to perform data theft attacks.

cyber security

“This is a native IIS module that registers as a filter with which HTTP requests and responses are processed,” Positive Technologies said at the time. “The way it works is unusual. The backdoor only processes requests that have the correct cookie parameters set.”

The Linux backdoor discovered by Stairwell is designed to obtain system information and allow remote access operations such as uploading, downloading, deleting files and executing shell commands.

Linux backdoor

What makes ChamelDoH unique is the new communication method sent using DoH, which is used to perform Domain Name System (DNS) resolution over the HTTPS protocol. DNS TXT request to the villain name server.

“Because these DoH providers are commonly used as DNS servers, [i.e., Cloudflare and Google] If it’s legitimate traffic, it can’t be easily blocked enterprise-wide,” said Steerwell researcher Daniel Meyer.

Using DoH for command and control (C2) also provides an additional advantage for threat actors in that because it uses HTTPS, the requests cannot be intercepted by man-in-the-middle (AitM) attacks. protocol.

upcoming webinars

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!

join the session

This also means that communication between compromised hosts and C2 servers becomes an encrypted channel as security solutions are unable to identify and ban malicious DoH requests and sever communication. .

“The result of this tactic is similar to C2 via domain fronting: traffic is sent to a legitimate service hosted on a CDN, but redirected to the C2 server via the Host header of the request. Both detection and prevention are difficult,” Mayer explained.

A California-based cybersecurity firm announced that it detected a total of 10 ChamelDoH samples on VirusTotal, one of which was uploaded on December 14, 2022.

The latest findings show that “the group has also spent considerable time and effort researching and developing toolsets that are equally robust against Linux intrusions,” Mayer said.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog