Godlua Backdoor Abuses CVE-2019-3396 To Attack PC Users

Organized cyber attack has emerged as a great threat to computer security and online business world. Godlua Backdoor is a latest attack on cyber security which is capable to attack both Linux and Windows operating system. It is a new backdoor malware which was spotted by security researchers in starting of July 2019. Apart from Linux and Windows, the malware is also capable to invade IoT (Internet-of-Things) devices. It indicate that the creator behind this dangerous threat are trying to target maximum amount of machines. However, at first security researcher consider this threat as a cryptocurrency miner trojan but later they found that the malware is used in a DDoS attack.

More Detail About Godlua Backdoor And Its Attack

As reported by Qihoo 360 researchers who discovered this threat, there are two active version of this backdoor malware. The first version of version Godlua malware (version 201811051556) is created to target only Linux device. On the other hand second version of this malware (version 20190415103713 ~ 2019062117473) supports more CPU architectures and capable to infect Windows system too. Researcher also found that the first version of this malware is not been updated more by cyber criminals. It indicate that they are now focusing on second version because it provide more features and multi platform support.

The version which target Linux was able to receive only two command, to run custom files and execute Linux command. Here you can see detail information about both (Linux and Windows) version of Godlua Backdoor malware :

Godlua Use CVE-2019-3396 To Target Linux System

According to reports, Godlua us CVE-2019-3396 exploit (aka Confluence exploit) to attack Linux system. It is a vulnerability of Widget Connector macro in the Atlassian Confluence Server. This security loophole allow cyber criminals to obtain path traversal from remote location and to execute remote code task. The crooks use this vulnerability on Data center or Confluence server via a server side template injection. The primary purpose of this malware is to perform DDoS attack which has been detected in its active campaign against a Chinese webpage known as liuxiaobei[.]com.

Furthermore, the backdoor malware uses HTTPS and also utilize DNS over the HTTPS to achieve C2 name. It use it to make sure that it form a secure communications between Bots, C2 and the Web servers as reported by security researchers.

Distribution Method Used By Godlua Attackers

Cyber crooks behind Godlua malware use several kind of deceptive ways to distribute this threat. The malware can be distributed using malicious email campaign. In this method, targeted user will get a well crafted email which seems legitimate and also contains an attachment. But the attachment is nothing than payload file of the malware and if user open it, the malware get installed without their knowledge.

In addition to spam email campaign, the malware can also be distributed through online malicious advertisement, social engineering tricks, software cracks, malicious website, fake software updates and more. So if you really want to keep your system protected against this bakdoor malware then you need to practice safety measures.

Leave a Reply

Your email address will not be published. Required fields are marked *