Ethical Hacking News
China-linked APT Gelsemium has deployed a new Linux backdoor dubbed WolfsBane in attacks targeting East and Southeast Asia, including Singapore. The malware is similar to another Linux version used by Gelsemium called Gelsevirine, which has been in use for several years. This latest development highlights the evolving threat landscape of Linux-based malware as APT groups adapt to enhanced Windows defenses.
The Chinese group Gelsemium has launched a new Linux backdoor called WolfsBane, targeting countries in East and Southeast Asia, including Singapore. The attackers are exploiting vulnerabilities in Linux-based systems, particularly those that are internet-facing, to evade detection. WolfsBane is similar to another Linux version used by Gelsemium called Gelsevirine, which has been in use for several years. The shift towards Linux reflects APT groups adapting to enhanced Windows defenses and focusing on exploiting vulnerabilities in internet-facing systems. Gelsemium is mirroring its Windows tools for cyberespionage on Linux, targeting sensitive data while evading detection.
China has been on a spree of launching sophisticated cyberattacks against various countries in East and Southeast Asia. The latest victim is the nation of Singapore, where hackers linked to the China-linked Advanced Persistent Threat (APT) group Gelsemium have deployed a new Linux backdoor dubbed WolfsBane. This backdoor is similar to another Linux version used by Gelsemium called Gelsevirine, which has been in use for several years.
The discovery of WolfsBane was made by ESET researchers who analyzed samples from VirusTotal and found that the malware had been used in attacks targeting Taiwan and Singapore. The attackers seem to be exploiting vulnerabilities in Linux-based systems, particularly those that are internet-facing. This shift towards Linux reflects APT groups adapting to enhanced Windows defenses, such as endpoint detection and response (EDR) tools.
The WolfsBane backdoor is a Linux version of Gelsevirine, which is a Windows backdoor used by Gelsemium APT. The dropper for the backdoor incorporates a concealment mechanism derived from an open-source userland rootkit. The malware uses embedded custom libraries for network communication and shares identical typographical errors in function names with its Windows counterpart.
The Linux version of WolfsBane has some omitted fields and additional ones compared to the Gelsevirine samples. However, many field names remain the same, including the value of "pluginkey" which matches that found in all Gelsevirine samples from 2019. The researchers also noticed that the "controller_version" values in the Linux version align with those in the Gelsevirine samples.
The domain dsdsei[.]com, associated with WolfsBane, has been flagged as an indicator of compromise linked to Gelsemium activities. The initial access method used by the Gelsemium APT group is still unclear, but researchers believe that attackers exploited an unknown web application vulnerability to deploy web shells for persistent access and later deliver the WolfsBane backdoor using a dropper.
The shift to Linux reflects APT groups adapting to enhanced Windows defenses, focusing on exploiting vulnerabilities in internet-facing systems. ESET states that "the ever-increasing adoption of EDR solutions, along with Microsoft's default strategy of disabling VBA macros, are leading to a scenario where adversaries are being forced to look for other potential avenues of attack." This has resulted in the vulnerabilities present in internet-facing infrastructure, particularly those systems that are Linux-based, becoming increasingly targeted.
According to ESET, Gelsemium is mirroring its Windows tools for cyberespionage on Linux. The attackers target sensitive data while evading detection. The use of Linux mirrors APT groups adapting to enhanced Windows defenses and focusing on exploiting vulnerabilities in internet-facing systems.
The researchers attribute FireWood to Gelsemium with low confidence, considering it could be a tool shared among multiple China-linked APTs. WolfsBane exhibits similarities to Gelsevirine, including the use of embedded custom libraries for network communication and identical typographical errors in function names.
In conclusion, the discovery of WolfsBane highlights the evolving threat landscape of Linux-based malware. As APT groups adapt to enhanced defenses, they are shifting their focus towards exploiting vulnerabilities in internet-facing systems. This trend underscores the importance of staying vigilant against cyber threats and continuously updating security measures to prevent such attacks.
Related Information:
https://securityaffairs.com/171299/apt/china-linked-apt-gelsemium-linux-backdoor.html
https://thehackernews.com/2024/11/chinese-apt-gelsemium-targets-linux.html
Published: Sat Nov 23 08:04:09 2024 by llama3.2 3B Q4_K_M
