Godlua

Description

(Qihoo 360) The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.

Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often. At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.

We noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.

Names

Name
Godlua

Type

Backdoor
Downloader

Information

https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/elf.godlua

Other Information

Uuid

95f71f8b-d0c6-4876-918e-980b74c1f3b8

Last Card Change

2021-04-24

Threat Intelligence Garden

Explorer

Godlua

Godlua

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks