An Analysis of Godlua Backdoor

Alex.Turing -

Background

On April 24, 2019, our Unknown Threat Detection System highlighted a suspicious ELF file which was marked by a few vendors as mining related trojan on VT. We cannot confirm it has mining related module, but we do see it starts to perform DDoS function recently.

The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.

Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often. At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.

We noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.

Overview

At present, we see that there are two versions of Godlua. Version 201811051556 is obtained by traversing Godlua download servers and there has been no update on it. Version 20190415103713 ~ 2019062117473 is active and is actively being updated. They are all written in C, but the active one supports more computer platforms and more features. The following is a comparison.

Godlua Backdoor Reverse Analysis

version 201811051556

This is the version we found earlier (201811051556). It focuses on the Linux platform and supports two kinds of C2 instructions, to execute Linux system commands and to run custom files.

Sample information

  • MD5: 870319967dba4bd02c7a7f8be8ece94f

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.32, dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped

C2 redundant mechanism

This version perform C2 communications in two ways, hardcoded domain name and Github link.

Its hardcoded C2 domain is: d.heheda.tk

It also has a Github page and the real C2 address is in the project description.

C2 instruction

cmd_call, execute Linux system commands

cmd_shell, execute custom file

C2 protocol analysis

Packet format
Length Type Data
Little endian,2 bytes 1 bytes (Length -3) bytes
Encryption Algorithm

XOR’s Key is randomly generated of 16 bytes of data, the algorithm is as follow:

Packet Overview

cmd_handshake
packet[0:31]:
24 00 02 ec 86 a3 23 fb d0 d1 e9 e8 5f 23 6f 6d
70 b5 95 24 44 e0 fc 2e 00 00 00 6c 69 6e 75 78
2d 78 38 36

Length:	packet[0:1]               --->0x0024
Type:	packet[2]                 --->0x02,handshake
Data:	packet[3:31]
            Data
            Data[0:15]                  ---->xor key
            Data[16:23]                 ---->version,hardcoded,little endian.
            Data[24:31]                 ---->arch,hardcoded.
cmd_heartbeat
packet[0:10]:
0b 00 03 87 19 45 cb 91 d1 d1 a9

Length:		  packet[0:1]                 --->0x000b
Type:		  packet[2]                   --->0x03,heartbeat
Data:		  packet[3:10]                --->xored clock64()

version 20190415103713 ~ 20190621174731

This active version runs on both Windows and Linux.
The control module is implemented in Lua and five C2 commands are supported

Sample information

version 20190415103713
  • MD5: c9b712f6c347edde22836fb43b927633

ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped

version 20190621174731
  • MD5: 75902cf93397d2e2d1797cd115f8347a

ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped

C2 redundant mechanism

Stage-1 URL

The backdoor uses 3 different ways to store the Stage-1 URL. hardcoded ciphertext, Github project description, and Pastebin text.
After the Stage-1 URL is retrieved and decrypted, a start.png file will be downloaded, which is actually a Lua bytecode.
The Bot then loads it into memory and executes it to get the Stage-2 URL.

Encryption Algorithm
  • AES,CBC Mode
  • key:13 21 02 00 31 21 94 E2 F2 F1 35 61 93 4C 4D 6A
  • iv:2B 7E 15 16 28 AE D2 01 AB F7 15 02 00 CF 4F 3C
Hard coded ciphertext

version 20190415103713

  • AES ciphertext:03 13 84 29 CC 8B A5 CA AB 05 9E 2F CB AF 5E E6 02 5A 5F 17 74 34 64 EA 5B F1 38 5B 8D B9 A5 3E
  • Stage-1 URL plaintext:https://d.heheda.tk/%s.png

version 20190621174731

  • AES ciphertext:F1 40 DB B4 E1 29 D9 DC 8D 78 45 B9 37 2F 83 47 F1 32 3A 11 01 41 07 CD DB A3 7B 1F 44 A7 DE 6C 2C 81 0E 10 E9 D8 E1 03 38 68 FC 51 81 62 11 DD
  • Stage-1 URL plaintext:https://img0.cloudappconfig.com/%s.png
Github project description
  • AES ciphertext:EC 76 44 29 59 3D F7 EE B3 01 90 A9 9C 47 C8 96 53 DE 86 CB DF 36 68 41 60 5C FA F5 64 60 5A E4 AE 95 C3 F5 A6 04 47 CB 26 47 A2 23 80 C6 5F 92
  • Github URL plaintext:https://api.github.com/repos/helegedada/heihei
  • Decryption Process:
  • Project description ciphertext: oTre1RVbmjqRn2kRrv4SF/l2WfMRn2gEHpqJz77btaDPlO0R9CdQtMM82uAes+Fb
  • Stage-1 URL plaintext:https://img1.cloudappconfig.com/%s.png
Pastebin text
  • AES ciphertext:19 31 21 32 BF E8 29 A8 92 F7 7C 0B DF DC 06 8E 8E 49 F0 50 9A 45 6C 53 77 69 2F 68 48
    DC 7F 28 16 EB 86 B3 50 20 D3 01 9D 23 6C A1 33 62 EC 15
  • Pastebin URL plaintext:https://pastebin.com/raw/vSDzq3Md
  • Decryption Process:
  • Pastebin Ciphertext: G/tbLY0TsMUnC+iO9aYm9yS2eayKlKLQyFPOaNxSCnZpBw4RLGnJOPcZXHaf/aoj
  • Stage-1 URL plaintext:https://img2.cloudappconfig.com/%s.png

Stage-2 URL

Here at stage-2, two mechanisms are being used for storing the Stage-2 URL, Github project file and DNS over HTTPS.
After the Stage-2 URL is retrieved and decrypted, a run.png file, also a Lua bytecode, will be downloaded.
Bot will load this file into memory and run it to get Stage-3 C2.

Encryption Algorithm
  • AES,CBC Mode
  • key:22 85 16 13 57 2d 17 90 2f 00 49 18 5f 17 2b 0a
  • iv:0d 43 36 41 86 41 21 d2 41 4e 62 00 41 19 4a 5c
Github project file
  • Github URL is stored in the Lua byte-code file (start.png) in plaintext. We get the following information by disassembling it:
  • Github project file ciphertext: kI7xf+Q/fXC0UT6hCUNimtcH45gPgG9i+YbNnuDyHyh2HJqzBFQStPvHGCZH8Yoz9w02njr41wdl5VNlPCq18qTZUVco5WrA1EIg3zVOcY8=
  • Stage-2 URL plaintext:{"u":"https:\/\/dd.heheda.tk\/%s.png","c":"dd.heheda.tk::198.204.231.250:"}
DNS TXT
  • DNS TXT is stored in the Lua byte-code file (start.png) in plaintext. We get the following information by disassembling it:
  • DNS over HTTPS Request:
  • DNS TXT ciphertext: 6TmRMwDw5R/sNSEhjCByEw0Vb44nZhEUyUpUR4LcijfIukjdAv+vqqMuYOFAoOpC7Ktyyr6nUOqO9XnDpudVmbGoTeJD6hYrw72YmiOS9dX5M/sPNmsw/eY/XDYYzx5/
  • Stage-2 URL plaintext:{"u":"http:\/\/img1.cloudappconfig.com\/%s.png","c":"img1.cloudappconfig.com::43.224.225.220:"}

Stage-3 C2

Stage-3 C2 is hardcoded in the Lua byte-code file (run.png). We disassembled it to get the following information.

version 20190415103713

version 20190621174731

DNS Over HTTPS Request

C2 instruction
| CMD       | Type |
| --------- | ---- |
| HANDSHAKE | 1    |
| HEARTBEAT | 2    |
| LUA       | 3    |
| SHELL     | 4    |
| UPGRADE   | 5    |
| QUIT      | 6    |
| SHELL2    | 7    |
| PROXY     | 8    |
C2 protocol analysis

Packet format

Type Length Data
1byte Big endian,2 bytes Length bytes
Packet overview
  • HANDSHAKE
Type:	packet[0]		--->0x01,HANDSHAKE
LENGTH:	packet[1:2]		--->0x0010
Data:	packet[3:end]
            data[0:7]			--->Session
            data[8:end]			--->version,0x00125cfecd8bcb->20190621174731

  • HEARTBEAT

    Send:
	Type: 			packet[0]        --->0x02,HEARTBEAT
	Length:			packet[1:2]      --->0x4
	Data:			packet[3:end]    --->time,0x5d13779b,1561556891
Replay:
	Type:			packet[0]        --->0x02,HEARTBEAT
	Length:			packet[1:2]      --->0x4
	Data:			packet[3:end]    --->1561556891

  • LUA Payload

    Type:     packet[0]            --->0x03,LUA
Length:   packet[1:2]          --->0x00ab
Data:     packet[3:end]        --->Lua script

We observe the attacker performing a HTTP Flood attack against www.liuxiaobei.com.

Lua script analysis

The Bot sample downloads many Lua scripts when executing, and the scripts can be broken down to three categories: execute, auxiliary, and attack.

  • execute: start.png,run.png,quit.png,watch.png,upgrade.png,proxy.png
  • auxiliary: packet.png,curl.png,util.png,utils.png
  • attack: VM.png,CC.png
Encryption Algorithm
  • AES,CBC Mode
  • key:13 21 02 00 31 21 94 E2 F2 F1 35 61 93 4C 4D 6A
  • iv:2B 7E 15 16 28 AE D2 01 AB F7 15 02 00 CF 4F 3C
Lua magic number

The decrypted files are all pre-compiled, take upgrade.png as an example, note the highlighted part is the file header.
You can see that the magic number has changed from “Lua” to “God”.

The malware author also seems to set a trap for researcher here by manually changing the LuaVerion number in the sample to 5.1.4 ($LuaVersion: God 5.1.4 C$$LuaAuthors: R. $). We think the real version should be definitely newer than 5.2.

Decompile

In order to decompile the above script, we have to know what changes have been made to Lua. After some analysis, we concluded that the modification can be divided into two major sections: Lua Header and Lua Opcode.

Decompiled by Luadec[1]

Suggestions

We have yet to see the whole picture of how exactly the Godlua backdoor infects the targets, at this point we know at least some linux users were infected via the Confluence exploit(CVE-2019-3396), if our readers have more information, feel free to contact us.

We suggest that at least to monitor and block the relevant IP, URL and domain name of Godlua Backdoor on your network.

Contact us

Readers are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.

IoC list

Sample MD5

870319967dba4bd02c7a7f8be8ece94f
c9b712f6c347edde22836fb43b927633
75902cf93397d2e2d1797cd115f8347a

URL

https://helegedada.github.io/test/test
https://api.github.com/repos/helegedada/heihei
http://198.204.231.250/linux-x64
http://198.204.231.250/linux-x86
https://dd.heheda.tk/i.jpg
https://dd.heheda.tk/i.sh
https://dd.heheda.tk/x86_64-static-linux-uclibc.jpg
https://dd.heheda.tk/i686-static-linux-uclibc.jpg
https://dd.cloudappconfig.com/i.jpg
https://dd.cloudappconfig.com/i.sh
https://dd.cloudappconfig.com/x86_64-static-linux-uclibc.jpg
https://dd.cloudappconfig.com/arm-static-linux-uclibcgnueabi.jpg
https://dd.cloudappconfig.com/i686-static-linux-uclibc.jpg
http://d.cloudappconfig.com/i686-w64-mingw32/Satan.exe
http://d.cloudappconfig.com/x86_64-static-linux-uclibc/Satan
http://d.cloudappconfig.com/i686-static-linux-uclibc/Satan
http://d.cloudappconfig.com/arm-static-linux-uclibcgnueabi/Satan
https://d.cloudappconfig.com/mipsel-static-linux-uclibc/Satan

C2 Domain

d.heheda.tk
dd.heheda.tk
c.heheda.tk
d.cloudappconfig.com
dd.cloudappconfig.com
c.cloudappconfig.com
f.cloudappconfig.com
t.cloudappconfig.com
v.cloudappconfig.com
img0.cloudappconfig.com
img1.cloudappconfig.com
img2.cloudappconfig.com

IP

198.204.231.250     	United States       	ASN 33387           	DataShack, LC       
104.238.151.101     	Japan               	ASN 20473           	Choopa, LLC         
43.224.225.220      	Hong Kong           	ASN 22769           	DDOSING NETWORK