A China-aligned advanced persistent threat (APT) actor known as Gelsemium has been spotted using two new malware tools in cyber attacks targeting East and Southeast Asia. The Linux backdoor, dubbed WolfsBane, is a variant of the company’s previously discovered Gelsevirine backdoor, which was used as far back as 2014.
Gelsemium’s latest malware, FireWood, is an undocumented implant connected to another toolset known as Project Wood. While attributed to the group with low confidence due to potential sharing among China-linked hacking crews, its connection to Gelsemium remains uncertain.
According to ESET researcher Viktor Šperka, the goal of these backdoors and tools is cyber espionage targeting sensitive data such as system information, user credentials, and specific files and directories. They are designed to maintain persistent access and execute commands stealthily, enabling prolonged intelligence gathering while evading detection.
The attackers exploited an unknown web application vulnerability to drop web shells for persistent remote access and used the modified BEURK userland rootkit to conceal their activities on Linux hosts. The WolfsBane backdoor can also execute commands received from an attacker-controlled server using a kernel driver rootkit module called usbdev.ko.
This marks the first documented use of Linux malware by Gelsemium, indicating an expansion of its targeting focus towards Linux systems. Experts attribute this development to advancements in email and endpoint security, such as the increasing adoption of EDR solutions and Microsoft’s strategy of disabling VBA macros.
Source: https://thehackernews.com/2024/11/chinese-apt-gelsemium-targets-linux.html