ESET researchers have recently discovered a new Linux backdoor, named WolfsBane, that is being used by the China-aligned Gelsemium APT group. This is the first known instance of Gelsemium using Linux malware. The backdoor is designed to steal sensitive data, including system information, user credentials, and specific files and directories.
WolfsBane is a Linux version of Gelsevirine, a Windows backdoor that Gelsemium has been using since 2014. The backdoor is distributed with a dropper posing as a genuine command scheduling tool. Once executed, the dropper installs the WolfsBane launcher and backdoor on the target system. The launcher is disguised as a KDE desktop component, while the backdoor is hidden as a system service.
The WolfsBane backdoor communicates with a command and control (C&C) server via a custom network protocol. The backdoor can run commands, download files, and upload them to the C&C server. The backdoor can also hide its existence on the system by changing the system's configuration files.
In addition to WolfsBane, ESET researchers identified another Linux backdoor, called FireWood, which is linked to the Project Wood malware. In the past, Gelsemium employed the Windows backdoor, Project Wood. FireWood is the Linux version of Project Wood, and it is also designed to steal sensitive information.
Researchers believe the shift to Linux malware is due to improvements in Windows endpoint security. As a result, threat actors are exploring new attack avenues, increasingly focusing on exploiting flaws in internet-facing systems, most of which run on Linux.
The discovery of WolfsBane and FireWood serves as a reminder that Linux systems are vulnerable to attacks. Organizations must understand the danger that Linux malware poses and adopt the necessary safety measures to protect their systems. This include using strong passwords, updating software, and exercising caution while downloading and running particular files.
Source: WeLiveSecurity
4 Comments - Add comment