CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 730
- Points
- 113
Asian governments struggle with "silent" hackers.
In the last six months between 2022 and 2023, a persistent advanced threat ( APT) known as Gelsemium actively attacked governments in Southeast Asia.
The Gelsemium group has been known since 2014. Its main targets are government agencies, educational institutions, and electronics manufacturers in East Asia and the Middle East. In the ESET report for 2021, experts described the group as "quiet", focusing on the deep technical competencies that allowed it to remain in the shadows for a long time.
According to a recent report from the Palo Alto Network's Unit 42 research group, the new campaign involved unique backdoors.
Gelsemium used web shells to break into the system, presumably exploiting vulnerabilities in servers accessible from the Internet. As the analysis showed, among the web shells used were "reGeorg", "China Chopper"and " AspxSpy". The tools are publicly available and can be used by various groups of attackers, which makes it difficult to identify them.
Through web shells, Gelsemium performed initial network exploration, navigated it using SMB, and loaded additional modules: OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm.
Although the tools Cobalt Strike, EarthWorm, and SpoolFool are publicly available and widely known, OwlProxy is quite unique. It once served as an HTTP proxy and backdoor in the group's attacks on the Taiwanese government.
During the latest campaign, hackers ran the program on the target computer, which, in turn, copied the DLL file (wmipd.dll) and created a system service to execute it. DLL file - a modification of OwlProxy for tracking incoming HTTP requests and certain URL patterns.
Another Gelsemium tool is SessionManager. This module for the IIS system was previously discovered by researchers from Kaspersky Lab. SessionManager analyzes incoming HTTP requests for special cookie entries. Such records contain commands that allow attackers to upload files, run programs, and even connect to other systems via an infected server.
The Unit 42 team notes Gelsemium's persistence: the group uses multiple tools and adapts its attacks even after some of their backdoors have been stopped by security mechanisms.
In the last six months between 2022 and 2023, a persistent advanced threat ( APT) known as Gelsemium actively attacked governments in Southeast Asia.
The Gelsemium group has been known since 2014. Its main targets are government agencies, educational institutions, and electronics manufacturers in East Asia and the Middle East. In the ESET report for 2021, experts described the group as "quiet", focusing on the deep technical competencies that allowed it to remain in the shadows for a long time.
According to a recent report from the Palo Alto Network's Unit 42 research group, the new campaign involved unique backdoors.
Gelsemium used web shells to break into the system, presumably exploiting vulnerabilities in servers accessible from the Internet. As the analysis showed, among the web shells used were "reGeorg", "China Chopper"and " AspxSpy". The tools are publicly available and can be used by various groups of attackers, which makes it difficult to identify them.
Through web shells, Gelsemium performed initial network exploration, navigated it using SMB, and loaded additional modules: OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm.
Although the tools Cobalt Strike, EarthWorm, and SpoolFool are publicly available and widely known, OwlProxy is quite unique. It once served as an HTTP proxy and backdoor in the group's attacks on the Taiwanese government.
During the latest campaign, hackers ran the program on the target computer, which, in turn, copied the DLL file (wmipd.dll) and created a system service to execute it. DLL file - a modification of OwlProxy for tracking incoming HTTP requests and certain URL patterns.
Another Gelsemium tool is SessionManager. This module for the IIS system was previously discovered by researchers from Kaspersky Lab. SessionManager analyzes incoming HTTP requests for special cookie entries. Such records contain commands that allow attackers to upload files, run programs, and even connect to other systems via an infected server.
The Unit 42 team notes Gelsemium's persistence: the group uses multiple tools and adapts its attacks even after some of their backdoors have been stopped by security mechanisms.
