Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
Summary:
ESET researchers have identified multiple samples of a new Linux-based malware backdoor named WolfsBane, attributed to the Gelsemium group with high confidence by ESET. This malware acts as a Linux counterpart to the previously identified Gelsevirine, showing the group’s growing interest in cross-platform capabilities. ESET attributes an uptrend in the use of Linux malware to improvements made in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default. WolfsBane demonstrates advanced persistence mechanisms and command-and-control (C2) infrastructure, highlighting its potential for targeted espionage against high-value victims. This is the first known occurrence of Linux malware being deployed by Gelsemium. Its dropper malware is the Linux equivalent to the Gelsemine dropper as well. There is no definitive evidence to determine the initial access vector, but ESET infers based on Gelsemium’s previous TTPs that the threat actors exploited an unknown vulnerability in a web application for server access.
Another Linux backdoor discovered in ESET’s analysis is FireWood. There is no definitive evidence linking FireWood to Gelsemium based on their usual toolset. However, FireWood is connected to another backdoor ESET calls Project Wood, and the Windows version of the Project Wood backdoor was previously used by the Gelsemium group in Operation TooHash. Project Wood activity can be traced back to 2005, increasing in sophistication over time. ESET assesses that the goal of the backdoors and tools discovered is cyberespionage targeting sensitive data such as system information, user credentials, and specific files and directories while maintaining persistent access to the system for prolonged cyberespionage. After analyzing the WolfsBane attack chain, ESET discovered a modified open-source userland rootkit, a type of software that exists in the user space of an operating system and hides its activities. The threat actors used webshells to perform operations on compromised servers remotely.
Security Officer Comments:
The discovery of WolfsBane marks a significant development in Gelsemium's operational capabilities. Its design focuses on stealth and modularity, allowing for tailored attacks. The group’s emphasis on multi-platform targeting underscores the need for heightened vigilance among organizations, especially those in critical sectors. As software company continue to enhance their security, adversaries will continue to shift tactics accordingly. WolfsBane's integration with C2 servers mirrors the techniques of sophisticated threat actors, reinforcing Gelsemium's position as a persistent and adaptive adversary. The increasing adoption of EDR solutions across critical sectors, along with Microsoft’s security restrictions are pressuring adversaries to seek other potential avenues of attack. Organizations should be circumspect regarding internet-facing infrastructure to reduce the risk of similar attacks.
Suggested Corrections:
IOCs are available here.
MITRE ATT&CK Techniques here.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://thehackernews.com/2024/11/chinese-apt-gelsemium-targets-linux.html
https://www.welivesecurity.com/en/e...-gelsemiums-linux-counterpart-to-gelsevirine/
https://web-assets.esetstatic.com/wls/2021/06/eset_gelsemium.pdf
ESET researchers have identified multiple samples of a new Linux-based malware backdoor named WolfsBane, attributed to the Gelsemium group with high confidence by ESET. This malware acts as a Linux counterpart to the previously identified Gelsevirine, showing the group’s growing interest in cross-platform capabilities. ESET attributes an uptrend in the use of Linux malware to improvements made in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default. WolfsBane demonstrates advanced persistence mechanisms and command-and-control (C2) infrastructure, highlighting its potential for targeted espionage against high-value victims. This is the first known occurrence of Linux malware being deployed by Gelsemium. Its dropper malware is the Linux equivalent to the Gelsemine dropper as well. There is no definitive evidence to determine the initial access vector, but ESET infers based on Gelsemium’s previous TTPs that the threat actors exploited an unknown vulnerability in a web application for server access.
Another Linux backdoor discovered in ESET’s analysis is FireWood. There is no definitive evidence linking FireWood to Gelsemium based on their usual toolset. However, FireWood is connected to another backdoor ESET calls Project Wood, and the Windows version of the Project Wood backdoor was previously used by the Gelsemium group in Operation TooHash. Project Wood activity can be traced back to 2005, increasing in sophistication over time. ESET assesses that the goal of the backdoors and tools discovered is cyberespionage targeting sensitive data such as system information, user credentials, and specific files and directories while maintaining persistent access to the system for prolonged cyberespionage. After analyzing the WolfsBane attack chain, ESET discovered a modified open-source userland rootkit, a type of software that exists in the user space of an operating system and hides its activities. The threat actors used webshells to perform operations on compromised servers remotely.
Security Officer Comments:
The discovery of WolfsBane marks a significant development in Gelsemium's operational capabilities. Its design focuses on stealth and modularity, allowing for tailored attacks. The group’s emphasis on multi-platform targeting underscores the need for heightened vigilance among organizations, especially those in critical sectors. As software company continue to enhance their security, adversaries will continue to shift tactics accordingly. WolfsBane's integration with C2 servers mirrors the techniques of sophisticated threat actors, reinforcing Gelsemium's position as a persistent and adaptive adversary. The increasing adoption of EDR solutions across critical sectors, along with Microsoft’s security restrictions are pressuring adversaries to seek other potential avenues of attack. Organizations should be circumspect regarding internet-facing infrastructure to reduce the risk of similar attacks.
Suggested Corrections:
IOCs are available here.
MITRE ATT&CK Techniques here.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2024/11/chinese-apt-gelsemium-targets-linux.html
https://www.welivesecurity.com/en/e...-gelsemiums-linux-counterpart-to-gelsevirine/
https://web-assets.esetstatic.com/wls/2021/06/eset_gelsemium.pdf