What just happened? Researchers at Network Security Research Lab have discovered the first known malware strain that uses the DNS over HTTPS protocol. Dubbed Godlua, its namesake is derived from both its Lua codebase and the magic number "God" found in the source code of one of the samples.
DNS over HTTPS has been gaining momentum. Last October, the Internet Engineering Task Force formally adopted DoH, published as RCF 8484, and while the concept itself isn't new, the concept of malware strains exploiting it is. In their report, Netlab researchers detected a suspicious ELF file, one that was originally thought to be a cryptocurrency mining Trojan.
While researchers haven't confirmed or denied any cryptocurrency mining functionality, they have confirmed it behaves more like a DDoS bot. Researchers have observed that the file works as a "Lua-based backdoor" on infected systems, and have noted at least one DDoS attack levied against liuxiaobei.com. So far, researchers have spotted at least two versions out in the wild, both using DNS over HTTPS instead of a traditional DNS request.
By using DNS over HTTPS, the malware strain can hide its DNS traffic through an encrypted HTTPS connection, allowing Godlua to elude passive DNS monitoring – an issue that already has cyber security experts alarmed.
Spoiler: there will be more. Lots, lots more. DoH is going to break a lot of security controls. https://t.co/Eo8QqP3Mmd--- Kevin Beaumont (@GossiTheDog) July 2, 2019
Both Google and Mozilla have come out in support of the DoH protocol; Mozilla is currently testing DoH, and Google is now offering DoH as part of its public DNS service. Popular content delivery networks such as Cloudflare also offer DNS resolution over HTTPS.