When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Chinese hackers exploit Linux with new WolfsBane malware

Meta Malware banner

ESET researchers have recently discovered a new Linux backdoor, named WolfsBane, that is being used by the China-aligned Gelsemium APT group. This is the first known instance of Gelsemium using Linux malware. The backdoor is designed to steal sensitive data, including system information, user credentials, and specific files and directories.

WolfsBane is a Linux version of Gelsevirine, a Windows backdoor that Gelsemium has been using since 2014. The backdoor is distributed with a dropper posing as a genuine command scheduling tool. Once executed, the dropper installs the WolfsBane launcher and backdoor on the target system. The launcher is disguised as a KDE desktop component, while the backdoor is hidden as a system service.

The WolfsBane backdoor communicates with a command and control (C&C) server via a custom network protocol. The backdoor can run commands, download files, and upload them to the C&C server. The backdoor can also hide its existence on the system by changing the system's configuration files.

In addition to WolfsBane, ESET researchers identified another Linux backdoor, called FireWood, which is linked to the Project Wood malware. In the past, Gelsemium employed the Windows backdoor, Project Wood. FireWood is the Linux version of Project Wood, and it is also designed to steal sensitive information.

Researchers believe the shift to Linux malware is due to improvements in Windows endpoint security. As a result, threat actors are exploring new attack avenues, increasingly focusing on exploiting flaws in internet-facing systems, most of which run on Linux.

The discovery of WolfsBane and FireWood serves as a reminder that Linux systems are vulnerable to attacks. Organizations must understand the danger that Linux malware poses and adopt the necessary safety measures to protect their systems. This include using strong passwords, updating software, and exercising caution while downloading and running particular files.

Source: WeLiveSecurity

Report a problem with article
Galaxy Z Flip6
Next Article

Samsung could use Galaxy S24 FE's chip inside the Galaxy Z Flip7 FE

The ASUS ROG Strix G16 2024
Previous Article

The ASUS ROG Strix G16 (2024) now available at lowest price of $1,099.99

Join the conversation!

Login or Sign Up to read and post a comment.

3 Comments - Add comment