ESET researchers have uncovered WolfsBane, a Linux cyberespionage backdoor attributed with high confidence to the Gelsemium advanced persistent threat (APT) group. This discovery is a major development, as it is the first public report of Gelsemium deploying Linux malware.
The newly identified backdoors and tools are designed for cyberespionage, targeting sensitive data, including system information, user credentials, and specific files or directories. They also enable persistent access and stealthy command execution, allowing prolonged intelligence gathering while evading detection.
Origins and Links to Gelsemium
The researchers discovered WolfsBane and related tools on VirusTotal, with samples uploaded from Taiwan, the Philippines, and Singapore. These samples likely originated from incident response on compromised servers. Gelsemium, an APT group active since 2014, has historically focused on entities in Eastern Asia and the Middle East. Until now, its operations had been limited to Windows malware, such as the backdoor Gelsevirine.
WolfsBane is the Linux counterpart of Gelsevirine, while another discovered backdoor, FireWood, appears connected to Project Wood—a Windows backdoor previously attributed to Gelsemium. However, ESET has attributed FireWood to Gelsemium with low confidence, as its presence may be coincidental or indicative of tool sharing among APT groups.
Expert Insights
Viktor Sperka, an ESET researcher who analyzed the group’s latest toolset, said the most notable samples ESET identified resemble Windows malware used by Gelsemium. WolfsBane is the Linux counterpart of Gelsevirine, and FireWood is connected to Project Wood. He said they also found other tools potentially related to Gelsemium’s activities.
Sperka highlighted a growing trend among APT groups to target Linux systems, driven by advancements in Windows security, such as endpoint detection and response tools and the default disablement of Visual Basic for Applications (VBA) macros. He explained that malicious actors are increasingly focusing on vulnerabilities in internet-facing Linux systems, which are critical for many enterprises.
Attack Chain and Additional Tools
WolfsBane operates through a straightforward loading chain involving a dropper, launcher, and backdoor. Its attack chain also includes a modified open-source userland rootkit designed to conceal its activities within the user space of an operating system.
ESET’s analysis revealed other tools in the archives, including webshells for remote server control and utility tools. FireWood, while less definitively linked to Gelsemium, was traced back to Operation TooHash, where it evolved into more sophisticated versions over time.
Attackers Are Eyeing Linux
The discovery indicates a broader pivot by threat actors toward exploiting Linux systems as a means of evasion. This is likely due to heightened Windows security and Linux’s ubiquity in server environments.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
