November 21, 2024 at 03:09PM
ESET researchers have identified two new Linux malware families: ‘WolfsBane,’ a backdoor linked to the Chinese Gelsemium group, and ‘FireWood,’ potentially used by various APT groups. Both target Linux systems, highlighting a trend as attackers seek new vulnerabilities amid enhanced Windows security measures. WolfsBane employs sophisticated evasion techniques.
### Meeting Takeaways:
1. **Discovery of WolfsBane**: A new Linux backdoor called “WolfsBane” has been identified, believed to be a port of Windows malware from the Chinese hacking group Gelsemium.
2. **Malware Features**:
– WolfsBane is described as a comprehensive malware toolkit consisting of a dropper, launcher, and backdoor.
– It utilizes a modified open-source rootkit for evasion of detection.
3. **Introduction and Persistence**:
– WolfsBane is introduced via a dropper named ‘cron’, which disguises its launcher as a KDE desktop component.
– Depending on its execution privileges, it can disable SELinux, create service files, or modify user configurations to maintain persistence.
4. **Functionality and Communication**:
– The malware features a component called ‘udevd’ that loads encrypted libraries for core functionality and C2 communication.
– It uses a modified BEURK rootkit for system-wide hooks to hide its operations and maintain stealth.
5. **Command Capabilities**: WolfsBane can execute commands received from the C2 server, allowing for file operations, data exfiltration, and system manipulation, granting Gelsemium control over targeted systems.
6. **Finding FireWood**:
– A second Linux malware named “FireWood” has been discovered which is loosely linked to Gelsemium but likely used by multiple Chinese APT groups.
– It is capable of performing various operations such as file handling, shell command execution, and data exfiltration.
7. **Persistence Mechanism**:
– FireWood establishes persistence through an autostart file in the user’s configuration directory, enabling it to run commands automatically on system startup.
8. **Emerging Trend**: ESET notes a significant trend where APT groups are increasingly targeting Linux systems due to enhanced security measures in Windows environments.
9. **Indicators of Compromise**: A comprehensive list of indicators for both malware families and Gelsemium’s recent campaigns is available on GitHub.
10. **Contextual Articles**: Related articles highlight ongoing concerns regarding Linux malware and vulnerabilities affecting Linux systems and infrastructures.
This summary encapsulates the key points discussed in the meeting regarding the threats posed by the new Linux malware families and the evolving landscape of cyber threats.