ChamelGang exploits undocumented implant for Linux systems

June 30, 2023 - TuxCare PR Team

Cybersecurity researchers at Stairwell have identified a threat actor known as ChamelGang employing a previously undisclosed implant to establish backdoors in Linux systems. This new malware, named ChamelDoH by Stairwell, utilizes C++ and leverages DNS-over-HTTPS (DoH) tunneling for covert communication. tools specifically designed for Linux intrusions.

Their attack techniques typically involve exploiting vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application to gain initial access. Subsequently, ChamelDoH is deployed to establish a persistent backdoor on the compromised systems to enable the facilitation of remote access operations, such as file upload, download, deletion, and shell command execution.

According to Stairwell, ChamelDoH uses encrypted DNS queries to communicate with a command-and-control server operated by hackers. This encryption helps the malware avoid detection and stay on compromised systems for a long time, and it can gather system information, run any command, transfer files, and make changes to the system’s settings.

The key differentiator of ChamelDoH lies in its use of DoH to perform DNS resolution via the HTTPS protocol. By sending DNS TXT requests to a rogue nameserver, ChamelGang effectively exploits the encrypted nature of this communication method. This technique poses a significant challenge for security solutions since blocking commonly used DoH providers, such as Cloudflare and Google, would also impede legitimate traffic.

Daniel Mayer, a researcher at Stairwell, emphasizes the effectiveness of this tactic, drawing a parallel to command-and-control via domain fronting. The requests appear to be directed to legitimate services hosted on content delivery networks (CDNs), making detection and prevention arduous.

To ensure secure communication, ChamelDoH employs AES128 encryption, encoding the data in base64 format, which can be inserted as a subdomain. Furthermore, the implant possesses a range of functionalities, including executing commands, setting sleep intervals, downloading files, uploading files, deleting files, copying files, changing directories, and more.

ChamelGang has reportedly been targeting organizations operating in the energy, aviation, and government sectors across Russia, the United States, India, Nepal, Taiwan, and Japan.

The sources for this piece include an article in TheHackerNews.

Summary