Lua-based binaries are being delivered via a Metasploit module for Atlassian Confluence Server CVE-2019-3396. other vulnerable servers can also be targeted with this payload, though it's mostly Linux servers now. active news sources include #godlua
my eye homed in on these excerpts from the article:
--The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”
--Godlua Backdoor has a redundant communication mechanism for Command and Control [C2] connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often. At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.
Readit News
Lua-based binaries are being delivered via a Metasploit module for Atlassian Confluence Server CVE-2019-3396. other vulnerable servers can also be targeted with this payload, though it's mostly Linux servers now. active news sources include #godlua
https://www.atlassian.com/software/confluence
https://www.cvedetails.com/cve/CVE-2019-3396/
https://twitter.com/hashtag/godlua?f=tweets&vertical=default
--The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”
--Godlua Backdoor has a redundant communication mechanism for Command and Control [C2] connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often. At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.