Pierluigi Paganini
November 23, 2024
China-linked APT Gelsemium has deployed a previously unknown Linux backdoor, WolfsBane, in attacks targeting East and Southeast Asia, according to ESET. Victims include entities in Taiwan, the Philippines, and Singapore, as seen in VirusTotal samples from March 2023.
The experts also discovered another Linux backdoor, they tracked as FireWood. However, no evidence definitively links FireWood to other tools in the Gelsemium’s arsenal. The experts attribute FireWood to Gelsemium with low confidence, considering it could be a tool shared among multiple China-linked APTs.
WolfsBane and FireWood mirror Gelsemium’s Windows tools for cyberespionage, targeting sensitive data while evading detection. This shift to Linux reflects APT groups adapting to enhanced Windows defenses, focusing on Linux vulnerabilities in internet-facing systems.
“We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default.” states ESET. “Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.”
The WolfsBane backdoor is a Linux version of Gelsevirine, a Windows backdoor used by Gelsemium APT. Its dropper, equivalent to the Gelsemine dropper, incorporates a concealment mechanism derived from an open-source userland rootkit.
WolfsBane exhibits several similarities to Gelsevirine. Notably, both versions utilize embedded custom libraries for network communication, and they share identical typographical errors in function names, specifically in the function used to initiate sessions. Furthermore, both backdoors employ a similar mechanism for executing commands received from their command and control (C&C) servers. They create a table that maps hashed command names to corresponding function pointers, demonstrating a consistent approach to command execution. In terms of configuration, WolfsBane and Gelsevirine show a largely consistent structure. While the Linux version has some omitted fields and a few additional ones, many field names remain the same. For instance, the value of “pluginkey” in WolfsBane’s configuration matches that found in all Gelsevirine samples from 2019. The researchers noticed that the “controller_version” values in the Linux version align with those in the Gelsevirine samples. The domain dsdsei[.]com, associated with WolfsBane, has also been flagged as an indicator of compromise linked to Gelsemium activities.
The initial access method used by the Gelsemium APT group is still unclear, but researchers believe the attackers exploited an unknown web application vulnerability. This allowed them to deploy web shells for persistent access and later deliver the WolfsBane backdoor using a dropper.
“The ever-increasing adoption of EDR solutions, along with Microsoft’s default strategy of disabling VBA macros, are leading to a scenario where adversaries are being forced to look for other potential avenues of attack.” concludes the report. “As a result, the vulnerabilities present in internet-facing infrastructure, particularly those systems that are Linux-based, are becoming increasingly targeted. This means that these Linux systems are becoming the new preferred targets for these adversaries.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
