Chinese language APT Gelsemium Targets Linux Methods with New WolfsBane Backdoor

Nov 21, 2024Ravie LakshmananCyber Espionage / Malware

The China-aligned superior persistent menace (APT) actor referred to as Gelsemium has been noticed utilizing a brand new Linux backdoor dubbed WolfsBane as a part of cyber assaults doubtless concentrating on East and Southeast Asia.

That is in response to findings from cybersecurity agency ESET based mostly on a number of Linux samples uploaded to the VirusTotal platform from Taiwan, the Philippines, and Singapore in March 2023.

WolfsBane has been assessed to be a Linux model of the menace actor’s Gelsevirine backdoor, a Home windows malware put to make use of way back to 2014. Additionally found by the corporate is one other beforehand undocumented implant named FireWood that is related to a different malware toolset referred to as Project Wood.

FireWood has been attributed to Gelsemium with low confidence, given the chance that it may very well be shared by a number of China-linked hacking crews.

“The purpose of the backdoors and instruments found is cyber espionage concentrating on delicate knowledge resembling system data, consumer credentials, and particular recordsdata and directories,” ESET researcher Viktor Šperka mentioned in a report shared with The Hacker Information.

“These instruments are designed to take care of persistent entry and execute instructions stealthily, enabling extended intelligence gathering whereas evading detection.”

The precise preliminary entry pathway utilized by the menace actors isn’t recognized, though it is suspected that the menace actors exploited an unknown net software vulnerability to drop net shells for persistent distant entry, utilizing it to ship the WolfsBane backdoor via a dropper.

Moreover utilizing the modified open-source BEURK userland rootkit to hide its actions on the Linux host, it is able to executing instructions obtained from an attacker-controlled server. In an analogous vein, FireWood employs a kernel driver rootkit module referred to as usbdev.ko to cover processes, and run varied instructions issued by the server.

The usage of WolfsBane and FireWood is the primary documented use of Linux malware by Gelsemium, signaling an enlargement of the concentrating on focus.

“The development of malware shifting in direction of Linux techniques appears to be on the rise within the APT ecosystem,” Šperka mentioned. “From our perspective, this growth may be attributed to a number of developments in e-mail and endpoint safety.”

“The ever-increasing adoption of EDR options, together with Microsoft’s default technique of disabling VBA macros, are resulting in a situation the place adversaries are being pressured to search for different potential avenues of assault.”