ESET Research: WolfsBane, new Linux cyber-espionage backdoor created by China-linked Gelsemium – Press Releases

BRATISLAVA, November 21, 2024 — ESET researchers have identified several samples of a Linux backdoor, which they named WolfsBane and which they attribute with high certainty to Gelsemium, an advanced persistent threat (APT) group linked to China. The purpose of these doors and the discovered tools is cyber espionage. It targets sensitive data: system information, user identifiers as well as specific files and directories. These tools are designed to maintain persistent access and execute commands in a stealthy manner, enabling prolonged intelligence collection while evading detection. ESET discovered the samples on VirusTotal; they were uploaded from Taiwan, the Philippines and Singapore, likely from a response to an incident on a compromised server. Gelsemium had previously targeted entities in East Asia and the Middle East. This China-linked threat actor has a history dating back to 2014, and so far there have been no public reports of Gelsemium using Linux malware.

ESET Research also discovered FireWood, another Linux backdoor, but cannot definitively link it to other Gelsemium tools. Its presence in the analyzed archives could be a coincidence. Therefore, ESET attributes FireWood to Gelsemium with little confidence, as it could be a tool shared by several China-aligned APT groups.

“The most notable samples found in the VirusTotal downloaded archives are two backdoors resembling known Windows malware used by Gelsemium. WolfsBane is the Linux equivalent of Gelsevirine, while FireWood is related to the Wood project. We also discovered other tools potentially linked to Gelsemium’s activities,” explains ESET researcher Viktor Šperka, who analyzed Gelsemium’s latest toolkit.

“APT groups tend to focus on Linux malware, this is becoming more and more noticeable. We believe this change is due to Windows email and endpoint security improvements, such as the widespread use of endpoint detection and response tools and Microsoft’s decision to disable Visual Basic macros by default. for Applications. Malicious actors then explore new means of attack and focus more on exploiting vulnerabilities in Internet-connected systems, most of which run Linux,” explains Šperka.

WolfsBane, the first backdoor, is part of a simple loading chain consisting of the dropper, launcher and backdoor. Part of the WolfsBane attack chain is also a modified open source rootkit, a kind of software that exists in the user space of an operating system and hides its activities. FireWood, the second backdoor, is connected to a backdoor tracked by ESET researchers under the name Project Wood. ESET traced it back to 2005 and observed its evolution towards more sophisticated versions. It had already been used in Operation TooHash. The archives analyzed by ESET also contain several additional tools, mainly webshells, allowing remote control by an attacker once they are installed on a compromised server, as well as simple utility tools.

For a more detailed review and technical analysis of Gelsemium’s latest tools, check out ESET Research’s latest blog Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine” at www.WeLiveSecurity.com. Follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.