Key Findings:
– ESET researchers have discovered WolfsBane, a sophisticated Linux backdoor adapted from Windows malware used by the Chinese Gelsemium hacking group
– A second Linux malware, FireWood, has also been identified, likely shared among multiple Chinese APT groups
WolfsBane Technical Details:
– Components include:
* Dropper (disguised as ‘cron’)
* Launcher (masquerading as KDE desktop component)
* Backdoor with encrypted libraries
* Modified BEURK rootkit for stealth
– Capabilities:
* Disables SELinux
* Establishes persistence
* Hides malicious activities
* Executes C2 server commands
* Performs file operations and data exfiltration
FireWood Characteristics:
– Features file operations, shell command execution, and data exfiltration
– Uses kernel-level rootkit (‘usbdev.ko’)
– Establishes persistence via autostart files
Industry Trend:
APT groups are increasingly targeting Linux systems due to:
– Enhanced Windows security measures
– Widespread EDR tool adoption
– Disabled VBA macros by default in Microsoft products
For security professionals, indicators of compromise are available on GitHub for both malware families.
This trend highlights the growing importance of Linux security as threat actors adapt their tactics to target less-protected systems.