Stealthy Chinese Hackers Unleash New Linux Backdoor in Asian Cyber Espionage Campaign

Stealthy Chinese Hackers Unleash New Linux Backdoor in Asian Cyber Espionage Campaign

Here’s the enhanced and simplified version while maintaining key information:

ESET researchers have discovered that Gelsemium, a Chinese state-sponsored hacking group, is now using two new Linux-based malware tools: WolfsBane and FireWood. This marks their first documented use of Linux malware, primarily targeting East and Southeast Asian countries.

Key Points:
– WolfsBane, detected in March 2023, appears to be a Linux version of Gelsemium’s existing Windows backdoor, Gelsevirine
– The malware was identified in Taiwan, the Philippines, and Singapore
– FireWood, another new tool, is potentially linked to “Project Wood” but attribution to Gelsemium is less certain

Technical Details:
– Both tools are designed for cyber espionage, focusing on:
* System information collection
* User credential theft
* File and directory monitoring
– WolfsBane uses the BEURK rootkit to hide its activities
– FireWood employs a kernel driver rootkit (usbdev.ko) for process concealment

Security Expert Analysis:
According to ESET researcher Viktor Å perka, this shift toward Linux-based attacks reflects a broader trend in Advanced Persistent Threats (APTs). This adaptation is likely due to:
– Improved email and endpoint security measures
– Microsoft’s restrictions on VBA macros
– The need for attackers to find alternative attack vectors

The exact initial compromise method remains unknown, though researchers suspect the exploitation of a web application vulnerability followed by web shell deployment.

Share This Article