The Chinese threat group known as ChamelGang has developed a new Linux implant called ChamelDoH, which enables DNS-over-HTTPS (DoH) communications with their servers.
Previously focused on Windows, ChamelGang’s expansion into Linux increases their intrusion capabilities and presents new indicators of compromise. The link between ChamelGang and this Linux malware is established through a previously associated domain and a custom privilege elevation tool observed in past campaigns. ChamelDoH encrypts its communications using AES128 and modified base64 encoding, concealing commands and exfiltrated data.
DNS-over-HTTPS is a protocol that encrypts DNS queries, but it also poses a challenge for security software as malware can exploit it for covert communication. ChamelDoH leverages this encryption to establish secure communication between infected devices and the command and control server, making malicious queries indistinguishable from regular HTTPS traffic.
The malware utilizes legitimate DoH servers, including those from Google and Cloudflare, making it difficult to block them without impacting legitimate traffic. ChamelDoH employs a JSON configuration, using two keys to obtain command and control hostnames and a list of DoH cloud providers for malicious queries.
To obfuscate its activities, ChamelDoH employs encrypted communications appended as hostnames to listed command and control servers, issuing TXT requests for domains containing encoded communications. This technique reduces the likelihood of detection and allows the malware to receive commands and exfiltrate data from infected devices.
ChamelDoH collects basic host information upon execution and supports various remote commands, including file execution, downloads, uploads, deletion, and manipulation. As of now, the malware has not been flagged as malicious by antivirus engines.
