A new Linux backdoor called ‘WolfsBane’ has been discovered, believed to be a port of Windows malware used by the Chinese ‘Gelsemium’ hacking group.
ESET security researchers who analyzed WolfsBane report that WolfsBane is a complete malware tool featuring a dropper, launcher, and backdoor, while it also uses a modified open-source rootkit to evade detection.
The researchers also discovered ‘FireWood,’ another Linux malware that appears linked to the ‘Project Wood’ Windows malware.
However, FireWood is more likely a shared tool used by multiple Chinese APT groups rather than an exclusive/private tool created by Gelsemium.
ESET says the two malware families, both appearing on VirusTotal over the last year, are part of a broader trend where APT groups increasingly target Linux platforms due to Windows security getting stronger.
“The trend of APT groups focusing on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.”
❖ ESET
WolfsBane’s stealthy howl
WolfsBane is introduced to targets via a dropper named ‘cron,’ which drops the launcher component disguised as a KDE desktop component.
Depending on the privileges it runs with, it disables SELinux, creates system service files, or modifies user configuration files to establish persistence.
The launcher loads the privacy malware component, ‘udevd,’ which loads three encrypted libraries containing its core functionality and command and control (C2) communication configuration.
Source: ESET
Finally, a modified version of the BEURK userland rootkit is loaded via ‘/etc/ld.so.preload’ for system-wide hooking to help hide processes, files, and network traffic related to WolfsBane’s activities.
“The WolfsBane Hider rootkit hooks many basic standard C library functions such as open, stat, readdir, and access,” explains ESET.
“While these hooked functions invoke the original ones, they filter out any results related to the WolfsBane malware.”
WolfsBane’s main operation is to execute commands received from the C2 server using predefined command-function mappings, which is the same mechanism as the one used in its Windows counterpart.
These commands include file operations, data exfiltration, and system manipulation, giving Gelsemium total control over compromised systems.
Source: ESET
FireWood overview
Though only loosely linked to Gelsemium, FireWood is another Linux backdoor that could enable versatile, long-term espionage campaigns.
Its command execution capabilities enable operators to perform file operations, shell command execution, library loading/unloading, and data exfiltration.
ESET identified a file named ‘usbdev.ko,’ which is suspected of operating as a kernel-level rootkit, providing FireWood with the ability to hide processes.
The malware sets its persistence on the host by creating an autostart file (gnome-control.desktop) in ‘.config/autostart/,’ while it can also include commands in this file to execute them automatically on system startup.
A comprehensive list of indicators of compromise associated with the two new Linux malware families and Gelsemium’s latest campaigns are available on this GitHub repository.
