ChamelDoH: New Linux Backdoor Using DNS-over-HTTPS Tunneling for

Jun 16, 2023Ravie LakshmananEndpoint Safety / Community Safety

Linux Backdoor

The menace actor referred to as ChamelGang has been noticed utilizing a beforehand undocumented implant to backdoor Linux programs, marking a brand new enlargement of the menace actor’s capabilities.

The malware, dubbed ChamelDoH by Stairwell, is a C++-based device for speaking through DNS-over-HTTPS (DoH) tunneling.

ChamelGang was first outed by Russian cybersecurity agency Constructive Applied sciences in September 2021, detailing its assaults on gas, power, and aviation manufacturing industries in Russia, the U.S., India, Nepal, Taiwan, and Japan.

Assault chains mounted by the actor have leveraged vulnerabilities in Microsoft Alternate servers and Pink Hat JBoss Enterprise Utility to realize preliminary entry and perform information theft assaults utilizing a passive backdoor known as DoorMe.


“This can be a native IIS module that’s registered as a filter via which HTTP requests and responses are processed,” Constructive Applied sciences stated on the time. “Its precept of operation is uncommon: the backdoor processes solely these requests during which the right cookie parameter is about.”

The Linux backdoor found by Stairwell, for its half, is designed to seize system data and is able to distant entry operations equivalent to file add, obtain, deletion, and shell command execution.

Linux Backdoor

What makes ChamelDoH distinctive is its novel communication technique of utilizing DoH, which is used to carry out Area Identify System (DNS) decision through the HTTPS protocol, to ship DNS TXT requests to a rogue nameserver.

“As a consequence of these DoH suppliers being generally utilized DNS servers [i.e., Cloudflare and Google] for reliable site visitors, they can’t simply be blocked enterprise-wide,” Stairwell researcher Daniel Mayer stated.

Using DoH for command-and-control (C2) additionally presents further advantages for the menace actor in that the requests can’t be intercepted via an adversary-in-the-middle (AitM) assault owing to using the HTTPS protocol.


🔐 Mastering API Safety: Understanding Your True Assault Floor

Uncover the untapped vulnerabilities in your API ecosystem and take proactive steps in the direction of ironclad safety. Be a part of our insightful webinar!

Join the Session

This additionally implies that safety options can not establish and prohibit malicious DoH requests and sever the communications, thereby turning it to an encrypted channel between a compromised host and the C2 server.

“The results of this tactic is akin to C2 through area fronting, the place site visitors is distributed to a reliable service hosted on a CDN, however redirected to a C2 server through the request’s Host header – each detection and prevention are troublesome,” Mayer defined.

The California-based cybersecurity agency stated it detected a complete of 10 ChamelDoH samples on VirusTotal, one in every of which was uploaded again on December 14, 2022.

The newest findings present that the “group has additionally devoted appreciable effort and time to researching and growing an equally strong toolset for Linux intrusions,” Mayer stated.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.