ChamelGang, a sophisticated threat actor believed to be based in China, has been using different tools for intrusions, as identified by the security researchers at Stairwell Threat Research in their recent investigation.
While apart from this, the Threat Research team of Stairwell also found new tools for Linux intrusions that are developed by the group.
ChamelDoH is one of the best instances for this, as it facilitates communication through DNS-over-HTTPS (DoH) tunneling, and it’s an implant that is mainly developed using C++.
Chinese Hackers Targets
The countries listed below have experienced instances of ChamelGang targeting their energy, aviation, and government organizations in the past:-
Russia
The United States
Japan
Turkey
Taiwan
Vietnam
India
Afghanistan
Lithuania
Nepal
DNS-over-HTTPS for Linux Malware
By identifying a domain and tool previously encountered in ChamelGang campaigns, Positive Technologies established the association between ChamelGang and the recently discovered Linux malware.
For remote access to the system, the sample (34c19cedffe0ee86515331f93b130ede89f1773c3d3a2d0e9c7f7db8f6d9a0a7) is primarily designed, and it’s a large C++ binary.
The sample utilizes DoH tunneling to establish a communication channel with the configured command-and-control (C2) infrastructure.
To encode its communication, the sample employs a modified base64 alphabet, transforming it into subdomains that are directed to a nameserver under the control of the malicious actor.
When the implant is executed, it immediately employs several systems calls to collect reconnaissance data and compile it into a JSON object.
Here below, we have mentioned all the details that are gathered by ChamelDoH when it’s executed:-
host_name: System hostname
ip: Any IP address for an interface that is not 127.0.0.1
system_type: sysname parsed from the system’s utsname struct, i.e. Linux
system_version: version parsed from the system’s utsname struct,
i.e. #43-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 18:21:28 UTC 2023
whoami: The user context that ChamelDoH is running under
process_pid: The process ID of the ChamelDoH process
bits: The bitness of the system, i.e. x86_64
pwd: The working directory of the ChamelDoH process
id: A pseudo-randomly generated integer generated by ChamelDoH that is used as an implant ID
ChamelDoH distinguishes itself through its original approach to command-and-control (C2) techniques.
While besides this, two keys are used in the JSON object to define the implant’s command-and-control (C2) configuration.
Here the sample contains the following configuration:-
With the help of the configuration, the implant establishes communication with malicious nameservers using DoH requests.
It encodes its command-and-control (C2) communications as subdomains and initiates TXT requests for the encoded C2 communications within the domain it generates.
Blocking these DoH providers across the entire enterprise is difficult due to their widespread use as DNS servers for legitimate traffic.
Inspecting these requests without intercepting the traffic becomes challenging due to HTTPS, making it difficult for defenders to identify which domain requests are being made via DoH.
This poses a challenge in detecting or obstructing abnormal network traffic, such as the encoded communications utilized by ChamelDoH.
The consequence of this strategy resembles C2 communication through domain fronting, where traffic is initially directed to a legitimate service hosted on a content delivery network (CDN).
However, it is rerouted to a C2 server using the request’s Host header. While this makes the detection and prevention of this technique completely challenging tasks.
To maintain confidentiality, ChamelDoH uses AES128 encryption to secure its communication. The encrypted data is then transformed into base64 format, allowing it to be inserted as a subdomain.
Capabilities
The implant can perform several types of tasks, and here below, we have mentioned them all along with their commands:-
run: Execute a file/shell command
sleep: Set number of seconds until next check-in
wget: Download a file from a URL
upload: Read and upload a file
download: Download and write a file
rm: Delete a file
cp: Copy a file to a new location
cd: Change the working directory
Moreover, ongoing analysis is being conducted by the Stairwell Threat Research team to examine ChamelDoH and other tools utilized by ChamelGang, which were previously unidentified.