Researchers at Network Security Research Lab of Qihoo 360 discovered a Lua-based backdoor dubbed Godlua that targets both Linux and Windows systems.
The peculiarity of this new piece of malware is the ability to communicate with C2 servers via DNS over HTTPS (DoH).
The DoH protocol was a new standard proposed in October 2018 and it is currently supported by several publicly available DNS servers. Some web browsers, including Google Chrome and Mozilla Firefox also support the DoH.
Godlua is a DDoS bot that was already involved in attacks in the wild, such as the one that hit liuxiaobei[.]com domain.
