Summary:
ESET researchers have uncovered two Linux backdoors, WolfsBane and FireWood, attributed to the Gelsemium APT group, marking a significant shift in their malware strategy. WolfsBane is a Linux counterpart to the Windows Gelsevirine, while FireWood’s connection remains uncertain. These tools are primarily aimed at cyberespionage, targeting sensitive data and maintaining persistent access. The trend of APT groups targeting Linux systems is on the rise, driven by enhanced security measures in Windows environments.
#GelsemiumAPT #LinuxMalware #CyberEspionage
ESET researchers have uncovered two Linux backdoors, WolfsBane and FireWood, attributed to the Gelsemium APT group, marking a significant shift in their malware strategy. WolfsBane is a Linux counterpart to the Windows Gelsevirine, while FireWood’s connection remains uncertain. These tools are primarily aimed at cyberespionage, targeting sensitive data and maintaining persistent access. The trend of APT groups targeting Linux systems is on the rise, driven by enhanced security measures in Windows environments.
#GelsemiumAPT #LinuxMalware #CyberEspionage
Keypoints:
ESET researchers identified two new Linux backdoors, WolfsBane and FireWood.
WolfsBane is the Linux equivalent of the Windows Gelsevirine backdoor.
FireWood is potentially linked to Project Wood but lacks definitive attribution.
The malware aims for cyberespionage, targeting sensitive system data and user credentials.
There is a noticeable trend of APT groups shifting focus to Linux malware.
The malware utilizes various techniques for persistence and evasion.
Archives containing the malware samples were uploaded to VirusTotal from Taiwan, the Philippines, and Singapore.
MITRE Techniques:
Resource Development (T1583.001): Gelsemium has registered domains through commercial providers.
Resource Development (T1583.004): Gelsemium most likely acquires VPS from commercial providers.
Development Capabilities (T1587.001): Gelsemium develops its own custom malware.
Execution (T1059.004): Gelsemium malware is capable of executing Linux shell commands.
Persistence (T1037.004): The WolfsBane launcher remains persistent on the system by using RC startup scripts.
Persistence (T1543.002): The WolfsBane dropper can create a new system service for persistence.
Defense Evasion (T1070.004): The WolfsBane dropper removes itself.
Discovery (T1082): The WolfsBane dropper enumerates system information.
Collection (T1056): The SSH password stealer captures user credentials.
Exfiltration (T1041): The FireWood backdoor exfiltrates collected data utilizing C&C communications.
IoC:
[domain] dsdsei[.]com
[domain] asidomain[.]com
[file name] dbus
[file name] libselinux.so
[file name] udevd
[file name] kde
[file name] cron
[file name] ccc
[file name] ssh
[file name] a.jsp
[file name] yy1.jsp
[file name] login.jsp
Full Research: https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/