Chinese State Hackers Unleash Stealthy ‘WolfsBane’ Malware to Infiltrate Linux Systems

Chinese State Hackers Unleash Stealthy 'WolfsBane' Malware to Infiltrate Linux Systems

New Linux Threats: WolfsBane and FireWood Malware

Key Findings:
– ESET researchers have discovered WolfsBane, a sophisticated Linux backdoor adapted from Windows malware used by the Chinese Gelsemium hacking group
– A second Linux malware, FireWood, has also been identified, likely shared among multiple Chinese APT groups

WolfsBane Technical Details:
– Components include:
* Dropper (disguised as ‘cron’)
* Launcher (masquerading as KDE desktop component)
* Backdoor with encrypted libraries
* Modified BEURK rootkit for stealth
– Capabilities:
* Disables SELinux
* Establishes persistence
* Hides malicious activities
* Executes C2 server commands
* Performs file operations and data exfiltration

FireWood Characteristics:
– Features file operations, shell command execution, and data exfiltration
– Uses kernel-level rootkit (‘usbdev.ko’)
– Establishes persistence via autostart files

Industry Trend:
APT groups are increasingly targeting Linux systems due to:
– Enhanced Windows security measures
– Widespread EDR tool adoption
– Disabled VBA macros by default in Microsoft products

For security professionals, indicators of compromise are available on GitHub for both malware families.

This trend highlights the growing importance of Linux security as threat actors adapt their tactics to target less-protected systems.

Share This Article