
An Analysis of Godlua Backdoor - ssully
https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/
======
mitchtbaum
after a quick review of this brief (aqrtb?):

Lua-based binaries are being delivered via a Metasploit module for Atlassian
Confluence Server CVE-2019-3396. other vulnerable servers can also be targeted
with this payload, though it's mostly Linux servers now. active news sources
include #godlua

[https://www.atlassian.com/software/confluence](https://www.atlassian.com/software/confluence)

[https://www.cvedetails.com/cve/CVE-2019-3396/](https://www.cvedetails.com/cve/CVE-2019-3396/)

[https://twitter.com/hashtag/godlua?f=tweets&vertical=default](https://twitter.com/hashtag/godlua?f=tweets&vertical=default)

------
sky_nox
It's interesting this malware uses DNS over HTTPS to avoid detection.

~~~
ga-vu
The first, according to Cisco Talos:
[https://twitter.com/infosec_nick/status/1146069799899938816](https://twitter.com/infosec_nick/status/1146069799899938816)

------
rolph
my eye homed in on these excerpts from the article:

\--The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the
Lua byte-code file loaded by this sample has a magic number of “God”

\--Godlua Backdoor has a redundant communication mechanism for Command and
Control [C2] connection, a combination of hardcoded dns name, Pastebin.com,
GitHub.com as well as DNS TXT are used to store the C2 address, which is not
something we see often. At the same time, it uses HTTPS to download Lua byte-
code files, and uses DNS over HTTPS to get the C2 name to ensure secure
communication between the bots, the Web Server and the C2.

