Threat Management

Novel implant leveraged in Chinese hacking group’s Linux attacks

BleepingComputer reports that Linux systems have been targeted by Chinese threat operation ChamelGang with the new ChamelDoH implant that facilitates server communications using the new DNS-over-HTTPS protocol. Utilization of DNS-over-HTTPS has enabled ChamelDoH to achieve encrypted communications between compromised devices and command-and-control servers, helping conceal malicious activity, according to a Stairwell report. Further examination of the implant revealed the presence of two keys in its JSON configuration that are used for the retrieval of C2 hostnames and a DoH cloud provider list for DoH queries. The findings also showed that aside from having the capability to collect basic host data, including names, IP addresses, system versions, and CPU architectures, ChamelDoH also allows remote file or shell command execution, URL-based file downloads, and file uploads and downloads. Operators of the ChamelDoH could also set the duration until the succeeding check-in, delete files, copy such files to another location, and replace working directories.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.