November 21, 2024 at 11:57AM
China-aligned APT actor Gelsemium is using a new Linux backdoor, WolfsBane, targeting East and Southeast Asia for cyber espionage. Recent findings by ESET reveal WolfsBane and another implant, FireWood, aiming to gather sensitive data. This marks a shift towards Linux malware amidst enhanced security measures in the APT ecosystem.
### Meeting Takeaways – November 21, 2024
**Topic:** Cyber Espionage / Malware
1. **New Threat Actor Activity:**
– The Gelsemium APT, aligned with China, is using a new Linux backdoor named **WolfsBane**.
– Targeting is primarily focused on **East and Southeast Asia**.
2. **Key Findings by ESET:**
– Multiple Linux samples of WolfsBane were uploaded to **VirusTotal** from regions including **Taiwan**, **Philippines**, and **Singapore** in March 2023.
– WolfsBane is considered a Linux counterpart to the existing **Gelsevirine** backdoor for Windows.
3. **Additional Malware Discovery:**
– ESET identified another implant called **FireWood**, linked to a malware toolset known as **Project Wood**.
– FireWood’s attribution to Gelsemium is given with **low confidence**, suggesting it may be shared across various China-linked hacking groups.
4. **Objectives of Malware:**
– Both backdoors are aimed at cyber espionage, targeting sensitive data such as system information and user credentials.
– They are designed to maintain persistent access while evading detection.
5. **Access Methods:**
– The initial access method remains unclear but is suspected to involve exploiting an undisclosed **web application vulnerability**.
– A web shell may be used to facilitate the delivery of the WolfsBane backdoor via a **dropper**.
6. **Technical Details:**
– WolfsBane employs a modified open-source **BEURK rootkit** to conceal its functionalities on Linux systems.
– FireWood utilizes a kernel driver rootkit module called **usbdev.ko** for process hiding and command execution.
7. **Trend Observation:**
– There is a notable shift towards **Linux malware** in the APT landscape, indicating an expansion of targeting focus by adversaries.
– The rise in malware targeting Linux is influenced by improvements in email and endpoint security, such as the adoption of **EDR solutions** and changes to **Microsoft’s** VBA macros policy.
**Conclusion:** The cybersecurity landscape is evolving, with a clear shift towards targeting Linux systems by advanced persistent threat actors, highlighting the need for continual vigilance and security enhancement measures.