A Chinese Advanced Persistent Threat (APT) group, known as Gelsemium, has recently modified its malware to target Linux systems. The backdoor malware, dubbed “Wolsbane,” was first discovered in 2023 and features a modified Beurk Experimental Unix RootKit to hide its malicious activities.
Gelsemium’s Linux-ported backdoor, Wolsbane, appears to be a Linux port of the Windows backdoor known as Gelsevirine. The malware is designed to exploit vulnerabilities in Java Web applications to access public-facing Apache Tomcat servers. Experts say that this trend marks a shift towards cross-platform malware development.
The rise of Linux-based threats has been evident in recent years, with vendors tracking double- and triple-digit year-over-year increases in Linux attacks since 2020. According to Elastic Security, the Linux threat landscape vastly outpaces that of macOS, more closely resembling Windows in terms of sheer volume of attacks.
Experts attribute the surge in Linux cyber threats to several factors, including the increasing adoption of Linux in enterprise environments and the improving state of Windows security. However, some researchers believe that security tooling and telemetry for Linux hosts are being improved at a pace that makes it easier for attackers to bypass security tools.
The latest manifestation of “Project Wood,” a phylum of backdoors that dates back to 2005, is Firewood, which possesses a kernel-level rootkit. This evolution highlights the growing sophistication of malware used by Gelsemium and other APT groups.
As Linux continues to gain popularity in enterprise environments, it’s essential for organizations to remain vigilant about cybersecurity threats. By staying informed about emerging trends and vulnerabilities, they can better protect themselves against cross-platform malware attacks.
Source: https://www.darkreading.com/threat-intelligence/chinese-apt-gelsemium-wolfsbane-linux-variant