A Chinese Advanced Persistent Threat (APT) actor known as Gelsemium A new Linux backdoor called WolfsBane has been spotted being used in cyberattacks likely targeting East and Southeast Asia.
That’s it findings from cybersecurity firm ESET based on multiple Linux samples uploaded to the VirusTotal platform from Taiwan, the Philippines, and Singapore in March 2023.
WolfsBane was rated as a Linux version of the threat Gelsevirin backdoor, a Windows malware that was first introduced back in 2014. The company also discovered another previously undocumented implant called FireWood, which is linked to another malware toolkit known as Project Wood.
FireWood was attributed to Gelsemium with low confidence, given the possibility that it could be shared by several China-linked hacking teams.
“The purpose of the identified backdoors and tools is cyber espionage targeting sensitive data such as system information, user credentials, and specific files and directories,” ESET researcher Viktor Shperka said in a report shared by The Hacker News.
“These tools are designed to maintain constant access and undetectable execution of commands, enabling sustained intelligence gathering while evading detection.”
The exact initial access path used by the threat actors is unknown, although it is suspected that the threat actors used an unknown web application vulnerability to compromise the persistent remote access web shell, using it to deliver the WolfsBane backdoor via a dropper.
Besides using modified open source code TYUK custom rootkit to hide its activity on a Linux host, it is able to execute commands received from a server controlled by the attacker. Similarly, FireWood uses a kernel driver rootkit module called usbdev.ko to hide processes and execute various commands issued by the server.
The use of WolfsBane and FireWood is the first documented use of Gelsemium by Linux malware, indicating that targeting is expanding.
“There seems to be an increasing trend in the APT ecosystem to move malware towards Linux systems,” Sperka said. “From our perspective, this development can be attributed to some advances in email and endpoint security.”
“Continued EDR decisions, along with Microsoft’s default strategy of disabling VBA macros, results in a scenario where adversaries are forced to look for other potential avenues of attack.”
