• Posted by: Michael Johnson
• November 22, 2024

Gelsemium APT Targets Linux Systems with WolfsBane and FireWood Malware

The advanced persistent threat (APT) actor known as Gelsemium, aligned with China, has been observed leveraging a new Linux backdoor named WolfsBane in cyberattacks believed to target East and Southeast Asia.

This discovery, reported by cybersecurity firm ESET, is based on Linux samples uploaded to VirusTotal from Taiwan, the Philippines, and Singapore in March 2023.

A New Threat: WolfsBane Backdoor

WolfsBane is assessed to be the Linux adaptation of Gelsevirine, a Windows-based backdoor used by Gelsemium since 2014. Alongside WolfsBane, researchers identified another previously undocumented implant named FireWood, tied to the Project Wood malware toolset.

While FireWood is attributed to Gelsemium with low confidence, there’s speculation it may be shared among multiple China-linked hacking groups.

"The goal of the backdoors and tools discovered is cyber espionage targeting sensitive data such as system information, user credentials, and specific files and directories," said Viktor Šperka, an ESET researcher, in a report shared with The Hacker News.

Espionage Tools and Tactics

The discovered malware, WolfsBane and FireWood, is designed to ensure:

1. Persistent Access: Remaining undetected for extended periods.
2. Command Execution: Allowing attackers to issue commands stealthily.
3. Intelligence Gathering: Harvesting critical information from compromised systems.

Although the initial access methods remain unclear, it’s suspected the threat actors exploited unknown web application vulnerabilities to deploy web shells. These web shells were used to deliver WolfsBane via a dropper.

To evade detection, WolfsBane employs a modified BEURK userland rootkit to hide its activities. Similarly, FireWood uses a kernel driver rootkit module called usbdev.ko to mask processes and execute attacker-controlled commands.

A Shift in APT Focus to Linux Systems

The use of WolfsBane and FireWood represents Gelsemium’s first documented deployment of Linux malware, marking a significant expansion of its targeting.

"The trend of malware shifting towards Linux systems seems to be on the rise in the APT ecosystem," Šperka said.

This shift is attributed to advancements in email and endpoint security, including:

1. The increasing adoption of Endpoint Detection and Response (EDR) solutions.
2. Microsoft’s default disabling of VBA macros, limiting traditional attack vectors.

As attackers adapt, they’re focusing on Linux systems, which play a critical role in enterprise environments but often lack robust security defenses.