Invisible threats are becoming a global problem.
A new backdoor for Linux called WolfsBane has been discovered, which researchers believe is a port of Windows malware previously used by the Gelsemium hacker group from China. The analysis showed that WolfsBane is a comprehensive tool that includes a dropper, downloader, and backdoor, and uses a modified open-source rootkit to bypass detection.
In addition, another Linux malware sample called FireWood has been identified that is related to a similar Windows malware known as Project Wood. FireWood is likely a common tool used by several Chinese APT groups, rather than an exclusive development of Gelsemium.
Experts note the growing interest of hacker groups in Linux systems against the backdrop of increased Windows protection. These changes are due to the increased use of endpoint protection tools and the disabling of VBA scripting by default. This forces attackers to look for new attack paths, including exploiting vulnerabilities in systems running on Linux.
WolfsBane is delivered to the targeted systems via a dropper called "cron", which masquerades as a KDE desktop component. Depending on the privilege level, the dropper disables SELinux, modifies the system's configuration files, or creates service files to ensure persistence. A loader is then launched that activates the malware component by loading three encrypted libraries with basic functionality and communication configuration with the C&C server.
For stealth, a modified BEURK rootkit is used, which is injected through the file "/etc/ld.so.preload" and provides hiding of processes, files and network traffic. WolfsBane's main tasks involve executing commands from the C&C server, allowing the attackers to perform file operations, output data, and take control of the system.
FireWood, while less related to Gelsemium, is also a powerful tool for long-term espionage campaigns. It provides operators with the ability to execute commands, perform file operations, load and unload libraries, and hide processes using a rootkit. To ensure autostart, FireWood creates a file in the ".config/autostart/" folder with commands that are executed at system startup.
Both malware samples demonstrate the efforts of APT groups to expand their operations on Linux platforms. A detailed list of indicators of compromise associated with these campaigns is available on GitHub.
Source
A new backdoor for Linux called WolfsBane has been discovered, which researchers believe is a port of Windows malware previously used by the Gelsemium hacker group from China. The analysis showed that WolfsBane is a comprehensive tool that includes a dropper, downloader, and backdoor, and uses a modified open-source rootkit to bypass detection.
In addition, another Linux malware sample called FireWood has been identified that is related to a similar Windows malware known as Project Wood. FireWood is likely a common tool used by several Chinese APT groups, rather than an exclusive development of Gelsemium.
Experts note the growing interest of hacker groups in Linux systems against the backdrop of increased Windows protection. These changes are due to the increased use of endpoint protection tools and the disabling of VBA scripting by default. This forces attackers to look for new attack paths, including exploiting vulnerabilities in systems running on Linux.
WolfsBane is delivered to the targeted systems via a dropper called "cron", which masquerades as a KDE desktop component. Depending on the privilege level, the dropper disables SELinux, modifies the system's configuration files, or creates service files to ensure persistence. A loader is then launched that activates the malware component by loading three encrypted libraries with basic functionality and communication configuration with the C&C server.
For stealth, a modified BEURK rootkit is used, which is injected through the file "/etc/ld.so.preload" and provides hiding of processes, files and network traffic. WolfsBane's main tasks involve executing commands from the C&C server, allowing the attackers to perform file operations, output data, and take control of the system.
FireWood, while less related to Gelsemium, is also a powerful tool for long-term espionage campaigns. It provides operators with the ability to execute commands, perform file operations, load and unload libraries, and hide processes using a rootkit. To ensure autostart, FireWood creates a file in the ".config/autostart/" folder with commands that are executed at system startup.
Both malware samples demonstrate the efforts of APT groups to expand their operations on Linux platforms. A detailed list of indicators of compromise associated with these campaigns is available on GitHub.
Source
