Gelsemium APT Targets Linux with New WolfsBane Backdoor
2024-11-22
New opportunity - organizations in East and Southeast Asia are under threat from Linux-targeted espionage campaigns. Time to get out your rolodex.
The article discusses the recent activities of the Chinese APT group Gelsemium, which has been deploying a new Linux backdoor called WolfsBane in cyber espionage campaigns targeting East and Southeast Asia. WolfsBane is a Linux adaptation of their existing Windows backdoor, Gelsevirine, and is used to gather sensitive data while maintaining persistent, stealthy access. Additionally, another implant named FireWood was discovered, linked to a different malware suite, Project Wood. The attackers possibly exploited a web application vulnerability to deliver these backdoors, leveraging rootkits for concealment. This marks Gelsemium's first documented use of Linux malware, reflecting a broader trend of APTs shifting focus toward Linux systems, driven by improvements in email and endpoint security.
Malware, Sensitive Data, Web App/Website Vulnerability
Gelsemium, WolfsBane, Linux backdoor, cyber espionage, APT, East Asia, Southeast Asia
N/A
Linux, Windows, East Asia, Southeast Asia, Taiwan, Philippines, Singapore
The cybersecurity landscape has seen a new development as the Chinese advanced persistent threat (APT) group, Gelsemium, has started targeting Linux systems with a new backdoor called WolfsBane. This malware is part of a campaign likely focused on East and Southeast Asia, including regions like Taiwan, the Philippines, and Singapore. WolfsBane is a Linux variant of Gelsemium's older Windows malware, Gelsevirine, which has been used since 2014. The group has also been linked to another malware tool called FireWood, which is part of a different suite known as Project Wood. Although the link to Gelsemium is tentative, FireWood's characteristics suggest it might be used by multiple Chinese hacking groups. The primary objective of WolfsBane and FireWood is cyber espionage. They are designed to collect sensitive data, including system information, user credentials, and specific files. These tools enable persistent and stealthy access to compromised systems, allowing Gelsemium to gather intelligence over extended periods without being detected. While the exact method used by Gelsemium to gain initial access is unclear, it is suspected that the group exploited an unknown web application vulnerability. This may have allowed them to deploy web shells for maintaining remote access and to deliver the WolfsBane backdoor via a dropper. Once installed, WolfsBane uses a modified open-source rootkit called BEURK to hide its activities on Linux systems. It can execute commands from an attacker-controlled server, making it a potent tool for remote control. Similarly, FireWood employs a kernel driver rootkit module named usbdev.ko to conceal processes and execute commands. This marks the first documented use of Linux malware by Gelsemium, indicating a shift in their attack strategy. The trend of targeting Linux systems is growing among APT groups, driven by advancements in email and endpoint security that make traditional targets harder to exploit. As organizations increasingly adopt Linux, understanding and mitigating these threats becomes crucial.Chinese APT Group Gelsemium Exploits Linux with New WolfsBane Backdoor
WolfsBane: A New Threat for Linux
Purpose and Functionality
Attack Vectors and Concealment Techniques
Implications for Linux Security
https://thehackernews.com/2024/11/chinese-apt-gelsemium-targets-linux.html?m=1