A new Linux backdoor called ‘WolfsBane’ has been discovered, believed to be a port of Windows malware used by the Chinese hacking group ‘Gelsemium’. Researchers from ESET analyzed WolfsBane and found it features a dropper, launcher, and backdoor, as well as a modified rootkit to evade detection. The malware is designed to give the attackers total control over compromised systems, executing commands received from a C2 server for file operations, data exfiltration, and system manipulation.
ESET also identified another Linux malware called ‘FireWood’, which appears linked to the ‘Project Wood’ Windows malware but is more likely a shared tool used by multiple Chinese APT groups. FireWood features command execution capabilities that enable operators to perform file operations, shell command execution, library loading/unloading, and data exfiltration.
The emergence of these Linux malware families is part of a broader trend where APT groups increasingly target Linux platforms due to improvements in Windows security measures, such as endpoint detection and response tools. As threat actors explore new attack avenues, they are focusing on exploiting vulnerabilities in internet-facing systems that run on Linux.
Source: https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware