Ethical Hacking News
Chinese hackers have been using a new Linux malware called WolfsBane to target Linux systems, with the malware featuring a dropper, launcher, and backdoor. The discovery highlights the growing threat landscape for Linux systems and underscores the need for robust security measures to protect these platforms from sophisticated malware tools.
Cybersecurity researchers discovered a new Linux malware called WolfsBane, which is believed to be a port of Windows malware. The malware features a dropper, launcher, and backdoor, and uses a modified open-source rootkit to evade detection. WolfsBane disables SELinux, creates system service files, or modifies user configuration files to establish persistence. The malware hooks basic standard C library functions to execute commands received from a C2 server. WolfsBane poses a threat due to its ability to control compromised systems through file operations, data exfiltration, and system manipulation. A new Linux malware called 'FireWood' has been identified, which is versatile and capable of persistence on the host. Both WolfsBane and FireWood highlight the growing threat landscape for Linux systems and underscore the need for robust security measures.
Chinese hackers have been spotted using a new Linux malware called WolfsBane, which is believed to be a port of Windows malware used by the Chinese "Gelsemium" hacking group. This latest development in the world of cyber threats highlights the evolving nature of attacks on Linux systems and the increasing sophistication of malware tools being employed by threat actors.
The discovery of WolfsBane was made by ESET security researchers, who analyzed the malware and found that it is a complete tool featuring a dropper, launcher, and backdoor. The malware uses a modified open-source rootkit to evade detection, which allows it to operate stealthily on compromised systems. According to ESET, WolfsBane's execution flow involves loading three encrypted libraries containing its core functionality and command and control (C2) communication configuration via the "udevd" privacy malware component.
The malicious code drops the dropper named 'cron,' which disguises itself as a KDE desktop component, depending on the privileges it runs with. It disables SELinux, creates system service files, or modifies user configuration files to establish persistence. The launcher loads the WolfsBane Hider rootkit via '/etc/ld.so.preload' for system-wide hooking, allowing the malware to hide processes, files, and network traffic related to its activities.
ESET's analysis revealed that the WolfsBane Hider rootkit hooks many basic standard C library functions such as open, stat, readdir, and access. While these hooked functions invoke the original ones, they filter out any results related to the WolfsBane malware. This mechanism enables the malware to execute commands received from the C2 server using predefined command-function mappings, which is the same mechanism used in its Windows counterpart.
The commands executed by WolfsBane include file operations, data exfiltration, and system manipulation, giving the Gelsemium group total control over compromised systems. ESET notes that the shift of APT groups towards targeting Linux platforms is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft's decision to disable Visual Basic for Applications (VBA) macros by default.
In addition to WolfsBane, another Linux malware called 'FireWood' has been identified. While FireWood is more likely a shared tool used by multiple Chinese APT groups rather than an exclusive/private tool created by Gelsemium, it poses a threat due to its versatility and capabilities. ESET's analysis revealed that FireWood uses the same kernel-level rootkit to hide processes as WolfsBane, providing it with persistence on the host.
FireWood sets its persistence on the host by creating an autostart file (gnome-control.desktop) in '.config/autostart/', while it can also include commands in this file to execute them automatically on system startup. The malware's command execution capabilities enable operators to perform file operations, shell command execution, library loading/unloading, and data exfiltration.
The discovery of WolfsBane and FireWood highlights the growing threat landscape for Linux systems and underscores the need for robust security measures to protect these platforms from sophisticated malware tools. As threat actors continue to evolve their tactics and exploit vulnerabilities in internet-facing systems, it is essential to stay informed about emerging threats like WolfsBane and FireWood.
Related Information:
https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/
https://thehackernews.com/2024/11/chinese-apt-gelsemium-targets-linux.html
Published: Thu Nov 21 20:08:09 2024 by llama3.2 3B Q4_K_M
