Gelsemium APT Shifts Focus to Linux with WolfsBane Backdoor

Threat Group: Gelsemium APT
Threat Type: Advanced Persistent Threat (APT)
Exploited Vulnerabilities: Linux systems, specifically Apache Tomcat servers
Malware Used: WolfsBane (Linux backdoor), FireWood (Linux backdoor)
Threat Score: High (8.5/10) — Focus on critical infrastructure, advanced obfuscation, and cross-platform targeting.
Last Threat Observation: November 22, 2024.

Overview

The WolfsBane malware, attributed to the Gelsemium APT group, is a newly identified Linux backdoor designed for cyberespionage. First analyzed by ESET, WolfsBane is a counterpart to the Windows-based Gelsevirine malware. The Gelsemium APT group, active since 2014, has historically targeted critical infrastructure, with a particular focus on East and Southeast Asia.

Award-winning news, views, and insight from the ESET security community
ESET researchers unveiled WolfsBane in conjunction with FireWood, another Linux-based backdoor connected to the same threat actor. These tools represent a broader shift by APT groups towards targeting Linux systems due to increased security measures on Windows environments.

Key Points:

• WolfsBane facilitates long-term system access for data exfiltration and command execution.
• FireWood serves as a potential continuation of the Project Wood malware lineage.
• Both tools employ advanced obfuscation and persistence mechanisms, emphasizing Gelsemium's sophistication.

Key Details

Delivery Method:
Exploitation of vulnerabilities in Apache Tomcat servers to deploy web shells, enabling malware installation.

Target:
Linux-based servers, focusing on entities in East and Southeast Asia, including Taiwan, the Philippines, and Singapore.

Functions:

1. Persistent access to compromised systems.
2. Execution of commands from C&C servers.
3. Exfiltration of sensitive data (system information, user credentials).
4. Deployment of additional malware modules.
5. Advanced obfuscation techniques for stealth operations.

Obfuscation:
Modified open-source userland rootkits hide malicious activities, such as file and process manipulation.

Attack Vectors

The WolfsBane and FireWood backdoors exploit vulnerabilities in web applications to deploy web shells. Following initial compromise:

• Persistence Mechanisms: Scripts in startup folders or systemd services maintain malware execution.
• Command Execution: Functions tied to C&C servers execute commands, exfiltrate data, and update malware components.
• Rootkits: Both backdoors use rootkits for evasion, such as hiding processes, files, and network activities.

Known Indicators of Compromise (IoCs)

FileHashes-MD5

• 0ff2f7ef56717a032d970ff8b78c85e4
• 17ffeda7cf0f19381fb1eb0e70c03927
• 1b6868f8c412e1e6efc4d7149173c5a9
• 2251bc7910fe46fd0baf8bc05599bdcf
• 24fff48947a8f5a100e21d5592f92d4c
• 3230cb323663710d52dfe18b9f0cb369
• 35b4867b323749cc72406f471b149efc
• 35e941f5df1560f0c2191c23e5189ada
• 4b51d56955a4438481f8452120a36aa0
• 5480f12015b0520b7e33519725bec6ef

FileHashes-SHA1

• 029407c923c279803c6d7cbc7673936bca2e580c
• 0471e1a214f458d4c478677ec9896b0f31207377
• 055f1e13e0fea44dc42e8cd8c9219ed588360304
• 0ab53321bb9699d354a032259423175c08fec1a4
• 0cedfb1789ef139b6040cf8d84ba130360c4eb7d
• 0fef89711da11c550d3914debc0e663f5d2fb86c
• 1042c798d7ff69eb52cbeae684c74fc0ee84aacd
• 1dd4e8119efb34beaec6af55b66222d3dc5036eb
• 209c4994a42af7832f526e09238fb55d5aab34e5
• 21c9b87a8cf75deba6cff8cf66aa015d6fb46be2

FileHashes-SHA256

• 00b701e3ef29912c1fcd8c2154c4ae372cfe542cfa54ffcce9fb449883097cec
• 109d4b8878b8c8f3b7015f6b3ae573a6799296becce0f32ca3bd216bee0ab473
• 1a9d78e5c255de239fb18b2cf47c4c2298f047073299c27fb54a0edf08a1d5a1
• 1b6bb9e9612982f9cb55a1c88ae988d362d03fd57748d10b8cbe7acd724055c9
• 1ec286f2194199206e4ce345f1bf322b6b0b4c947b1cf32db59cca2d89370738
• 1f6de1af513f60572799a0893818e1b694c3ec3ff5dabddc8a0f0aa0d96d15d2
• 29e78ca3cb49dd2985a29e74cafb1a0a15515670da0f4881f6095fb2926bfefd
• 2bab6b951ea0ae3ea9452fd503bacafb45b6687d6352f5415d14810f9cf7a89e
• 31d5e55f21246f97da006ddba6306b357d2823c90754a920c7bd268af0d2a1e4
• 46338cae732ee1664aac77d9dce57c4ff8666460c1a51bee49cae44c86e42df9

IPv4 Address

• 210[.]209[.]72[.]180

Domains

• 4vw37z[.]cn
• asidomain[.]com
• dsdsei[.]com

Hostnames

• acro[.]ns1[.]name
• domain[.]dns04[.]com
• info[.]96html[.]com
• microsoftservice[.]dns1[.]us
• pctftp[.]otzo[.]com
• sitesafecdn[.]hopto[.]org
• traveltime[.]hopto[.]org
• www[.]sitesafecdn[.]dynamic-dns[.]net
• www[.]travel[.]dns04[.]com

Mitigation and Prevention

1. User Awareness: Educate teams about social engineering risks and web application vulnerabilities.
2. Email Filtering: Block malicious attachments and suspicious emails.
3. Antivirus Protection: Deploy solutions capable of detecting sophisticated backdoors.
4. Two-Factor Authentication (2FA): Add layers of security to account access.
5. Log Monitoring: Track unusual system and network activities for quick identification of intrusions.
6. Regular Updates: Patch software vulnerabilities to limit exploit opportunities.
7. Network Segmentation: Isolate critical systems from internet-facing environments.

Conclusion

The WolfsBane malware showcases the growing trend of APT groups targeting Linux environments. As security improves in Windows ecosystems, attackers are shifting focus to under-protected Linux servers. This evolution emphasizes the need for organizations to strengthen their cybersecurity postures, especially for Linux-based systems.

ESET Research provides in-depth insights into threats like WolfsBane. Their technical analysis sheds light on malware operations and attribution to threat actors like Gelsemium, ensuring organizations are informed and prepared to mitigate risks.

Sources

1. welivesecurity "Unveiling WolfsBane: Gelsemium’s Linux Counterpart to Gelsevirine"
2. The Hacker News: "Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor"
3. BleepingComputer: "Chinese Hackers Target Linux with New WolfsBane Malware"