ESET Identifies Linux Backdoor Linked to Gelsemium APT Group
/ 4 min read
Quick take - ESET researchers have identified multiple samples of a Linux backdoor named WolfsBane, attributed to the Gelsemium APT group, marking their first public report of Linux malware, alongside another backdoor called FireWood, which is linked to cyberespionage activities targeting sensitive data and reflects a broader trend of APT groups increasingly focusing on Linux systems.
Fast Facts
- ESET researchers identified a Linux backdoor named WolfsBane, linked with high confidence to the Gelsemium APT group, marking their first public use of Linux malware.
- Gelsemium, a China-aligned threat actor since 2014, is also associated with another Linux backdoor called FireWood, though its connection remains uncertain.
- Both backdoors are designed for cyberespionage, targeting sensitive data and enabling persistent access while avoiding detection.
- The malware samples were found in archives uploaded to VirusTotal from regions likely linked to a compromised server incident, indicating a shift towards Linux malware among APT groups.
- The report includes indicators of compromise (IoCs) and highlights the growing vulnerabilities in internet-facing Linux systems, inviting inquiries for further intelligence.
ESET Researchers Identify Linux Backdoor Named WolfsBane
ESET researchers have identified multiple samples of a Linux backdoor named WolfsBane. This backdoor is attributed with high confidence to the Gelsemium advanced persistent threat (APT) group, which is a China-aligned threat actor with a history dating back to 2014. This marks the first public report of their use of Linux malware.
Discovery of FireWood
In conjunction with WolfsBane, another Linux backdoor named FireWood was discovered. The connection of FireWood to Gelsemium tools remains uncertain, leading to a low-confidence attribution for FireWood. The discovered backdoors and tools are primarily aimed at cyberespionage, targeting sensitive data, including system information and user credentials. These tools are designed for persistent access and stealthy command execution, facilitating prolonged intelligence gathering while avoiding detection.
Trends in APT Groups
A noticeable trend is emerging among APT groups, with an increasing focus on Linux malware. This shift is likely a response to enhanced security measures in Windows environments. The analyzed samples of the malware were found in archives uploaded to VirusTotal, coming from various regions, including Taiwan, the Philippines, and Singapore, which are likely linked to a compromised server incident.
WolfsBane is identified as the Linux equivalent of the Windows backdoor Gelsevirine. FireWood is associated with a project known as Project Wood. WolfsBane consists of a dropper, launcher, and backdoor, with the dropper cleverly mimicking a legitimate command scheduling tool to establish persistence based on the system’s configuration. Different methods are employed depending on execution privileges, with distinct approaches for root and unprivileged users.
The WolfsBane backdoor utilizes a modified open-source userland rootkit designed to conceal its activities and load embedded libraries for network communication. FireWood is linked to a backdoor previously utilized in Operation TooHash, sharing similarities in naming conventions, file extensions, and encryption methods with Project Wood. This backdoor establishes persistence by creating a desktop entry that executes commands during system startup.
Both backdoors employ encryption for communication with their respective command and control (C&C) servers, utilizing different algorithms and keys. Researchers uncovered various tools, including an SSH password stealer and a privilege escalation tool. The SSH password stealer is a modified version of the OpenSSH client that collects user credentials, while the privilege escalation tool allows for elevation of user privileges.
The report highlights the discovery of various webshells in the analyzed archives, enabling remote control and system command execution on compromised servers. This finding reflects a shift in Gelsemium’s operational strategy towards Linux malware, aligning with broader trends observed in the APT ecosystem.
The report includes a comprehensive list of indicators of compromise (IoCs) and samples related to the identified malware, underscoring the growing vulnerabilities in internet-facing Linux systems that are increasingly targeted by threat actors. The report concludes with an invitation for inquiries regarding the research, offering private APT intelligence reports and data feeds for interested parties.
Original Source: Read the Full Article Here
