Chinese APT Gelsemium Deploys Wolfsbane Linux Variant

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinese APT Gelsemium Deploys Wolfsbane Linux Variant


In a sign of the times, a backdoor malware whose ancestors date back to 2005 has morphed to target Linux systems.



Two well-documented Chinese backdoors have recently been modified to operate on Linux systems.
The advanced persistent threat (APT) Gelsemium
is a decade old now, and the new malware tied to the group, Wolfsbane and Firewood, can trace their lineage back to 2005. Throughout its history, Gelsemium has focused on information gathering from Windows systems. Now, it has
adjusted its tooling
to operate just as effectively in Linux environments.
This, experts say, is merely the latest manifestation of a long-brewing trend.
The Linux malware landscape is certainly accelerating, says Jason Soroko, senior fellow at Sectigo. The increase does make sense, as organizations have heavily adopted Linux for their back office server needs, both on premises and in the cloud. Adversaries are developing cross-platform malware to maximize their reach.
The first public sample of the first new backdoor, dubbed Wolsbane, was uploaded to VirusTotal on March 6, 2023, from Taiwan, with later uploads coming from the Philippines and Singapore (historically, Gelsemium has targeted entities in the Middle East and East Asia).
Contextual evidence suggests that the malwares authors have been exploiting vulnerabilities in Java Web applications to access public-facing Apache Tomcat servers. And a deeper look inside reveals unmistakable overlaps with Gelsevirine, a Windows backdoor known to be used by Gelsemium. In essence, the Wolfsbane malware was a Linux port of Gelsevirine, featuring a modified Beurk Experimental Unix RootKit to hide its various malicious activities.
Alongside Wolfsbane, though not definitively attributable to Gelsemium, was a second Linux-ported backdoor, Firewood. An addition to its varied and typical backdoor capabilities, it possesses a kernel-level rootkit. 
Most interestingly, Firewood appears to be the latest evolution of Project Wood, a phylum of a backdoor that traces back generations to a program first compiled in January 2005. The latest manifestation of Project Wood before Firewood,
NSPX30
, was reported earlier this year.
Cyber threats rise across the board every year, but the particular rise in Linux-based threats stands out. 
Since at least 2020, vendors have tracked
double-
and
triple-digit
year-over-year increases in Linux attacks. In its annual Global Threat Report, Elastic Security has regularly found that the Linux threat landscape vastly outpaces that of macOS, more closely resembling Windows in terms of sheer volume of attacks. In 2023, for example, it found that
54% of endpoint attacks affected Linux-based devices
, compared with just 39% for Windows.
Over the past 12 months, around 32% of malware infections have targeted Linux, according to Jake King, Elastics head of threat and security intelligence. While steadily increasing, we are seeing greater volumes of attacks and, in some cases, with greater levels of sophistication.
The XZ/Liblzma backdoor
discovered by researchers earlier this year shows the desire of adversaries to compromise Linux hosts, likely for a variety of reasons, growing in sophistication to supply chain compromise, he says.
The rising threats to Linux may be attributable to an increasing adoption of Linux in enterprise environments, as Soroko alluded to, or the generally improving state of Windows security — the explanation ESET went with in its blog post — or an explanation even simpler.
One of the reasons for growing observations can always be targeted to adversarial focus changing, but it is also likely that security tooling and telemetry for Linux hosts are improving at a pace whereby attacks are identified earlier, with a greater level of context, King suggests. For example, A growing trend for threat observations this year was Impaired Defenses for Linux, showing that adversaries are specifically looking to bypass security tools native to Linux or disable third-party security tools. This is important, as it shows were exposing many attacks that would have previously gone undetected years ago.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinese APT Gelsemium Deploys Wolfsbane Linux Variant