ESET researchers have discovered that Gelsemium, a Chinese state-sponsored hacking group, is now using two new Linux-based malware tools: WolfsBane and FireWood. This marks their first documented use of Linux malware, primarily targeting East and Southeast Asian countries.
Key Points:
– WolfsBane, detected in March 2023, appears to be a Linux version of Gelsemium’s existing Windows backdoor, Gelsevirine
– The malware was identified in Taiwan, the Philippines, and Singapore
– FireWood, another new tool, is potentially linked to “Project Wood” but attribution to Gelsemium is less certain
Technical Details:
– Both tools are designed for cyber espionage, focusing on:
* System information collection
* User credential theft
* File and directory monitoring
– WolfsBane uses the BEURK rootkit to hide its activities
– FireWood employs a kernel driver rootkit (usbdev.ko) for process concealment
Security Expert Analysis:
According to ESET researcher Viktor Å perka, this shift toward Linux-based attacks reflects a broader trend in Advanced Persistent Threats (APTs). This adaptation is likely due to:
– Improved email and endpoint security measures
– Microsoft’s restrictions on VBA macros
– The need for attackers to find alternative attack vectors
The exact initial compromise method remains unknown, though researchers suspect the exploitation of a web application vulnerability followed by web shell deployment.