Godlua
Godlua is a backdoor Trojan that can give remote attackers control over your computer and hijack its resources for launching additional attacks against other targets. Its immediate usage is emphasizing cryptocurrency-mining and DDoSing activities, although it may exhibit uses, over time. Users can update their server and productivity software for reducing download-facilitating vulnerabilities, and use advanced anti-malware services for deleting Godlua.
Commanding and Controlling through Public Text Storage
The anti-malware industry's eyes are on a newly-identified Trojan displaying both high-flexibility in its payload and its operating system. Godlua, circulating with the help of an unknown threat actor, is another type of modular Trojan, although its 'modules' consist of downloaded Lua scripts that it stores in PNG files. It's a threat that researchers confirm is a danger to both Linux and, as of its latest version, Windows computers.
Godlua (whose name comes from both its programming language and a 'magic number' string in its PNGs' headers) gives its threat actor access to the PC through a slightly-unconventional C&C connection. It can use either a built-in, hard-coded address or one that it retrieves from free hosting services like Github and Pastebin. Through this Command & Control contact, it can execute the hacker's system command-based instructions or custom files.
The Trojan is receiving ongoing updates that may complicate the dangers an infection represents for most users. However, the issues that victims are most likely of encountering with Godlua's current releases include cryptocurrency-mining and HTTP flood-based, Distributed-Denial-of-Service attacks. The former feature uses CPU or GPU resources for generating Monero, Bitcoin, or other cryptocurrencies for the threat actor. DDoS attacks, contrarily, target external Web servers, crashing them with 'fake' traffic.
The Confluence of Events Leading to a Tap from this 'God'
Godlua's campaign may be using more than one infection vector, but for now, malware researchers only can find a clear connection between it and a particular vulnerability: CVE-2019-3396. It's specific to outdated versions of Atlassian Confluence Servers and lets the attacker achieve directory traversal and remote code execution. Consequently, Confluence server users should double-check their software for being up-to-date, which closes the vulnerability.
The targeting of workplace collaboration products implies that Godlua is compromising enterprise-level, business sector-based victims. However, DDoSing and mining routines are potential hazards for all users. Ignoring them for long periods can cause degradation of performance and, in a worst-case incident, damage hardware through overheating.
Malware experts can further recommend setting network filters for blocking the known portions of Godlua's C&C network, including the publicized IP addresses and domains. Anti-malware tools should delete Godlua from already-infected systems, like most backdoor Trojans.
Godlua has the capacity for doing much more than its present-day attacks. Its administrators could be satisfied with the status quo, but the public should expect updates to this Trojan deity's scripture.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.