Full Report
The China-aligned advanced persistent threat (APT) actor known as Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane as part of cyber attacks likely targeting East and Southeast Asia. That's according to findings from cybersecurity firm ESET based on multiple Linux samples uploaded to the VirusTotal platform from Taiwan, the Philippines, and Singapore in March 2023.
Analysis Summary
# Threat Actor: Gelsemium
## Attribution & Identity
Attributed as a China-aligned Advanced Persistent Threat (APT) actor. Associated with the previously documented Gelsevirine Windows backdoor. Low confidence connection to a separate malware toolset known as "Project Wood."
## Activity Summary
Observed using a new Linux backdoor named **WolfsBane** in cyberattacks. Activity involving WolfsBane was detected in March 2023. The actor also utilizes an undocumented implant named **FireWood**. The goal of these operations is cyber espionage focused on intelligence gathering.
## Tactics, Techniques & Procedures
- Utilizing custom backdoors, specifically **WolfsBane** (Linux) and **Gelsevirine** (Windows).
- Employing the **FireWood** implant.
- Suspected initial access involves exploiting an unknown web application vulnerability to drop web shells for persistent remote access.
- Using a dropper to deliver the WolfsBane backdoor.
- Employing a modified open-source **BEURK** userland rootkit to conceal activities on Linux hosts.
- Capable of executing commands received from attacker-controlled servers for stealthy intelligence gathering.
## Targeting
- Sectors: Not explicitly stated, but the objective (cyber espionage targeting sensitive data) implies government, defense, or critical infrastructure organizations.
- Geography: Targeting observed in East and Southeast Asia. Specific sightings of Linux samples originate from **Taiwan, the Philippines, and Singapore**.
- Victims: Specific organizations were not named, but the targeting is focused on obtaining "sensitive data such as system information, user credentials, and specific files and directories."
## Tools & Infrastructure
- Malware families used:
- **WolfsBane** (New Linux backdoor)
- **Gelsevirine** (Older Windows backdoor)
- **FireWood** (Undocumented implant)
- Infrastructure: Uses attacker-controlled servers for command execution. Initial access potentially involves C2 via web shells planted through vulnerability exploitation. (No specific C2 IPs/domains were provided in the summary text).
## Implications
Gelsemium is actively updating its capabilities, demonstrated by the deployment of the Linux-specific WolfsBane backdoor, indicating sustained focus on non-Windows environments, likely in the APAC region. The incorporation of a rootkit (modified BEURK) highlights their commitment to evasion and maintaining long-term persistent access for intelligence exfiltration.
## Mitigations
- Focus defensive efforts on Linux systems, as they are a specific current target for Gelsemium.
- Implement robust detection mechanisms for web shell activity to preempt the initial droplet path.
- Monitor for the deployment of userland rootkits like modified BEURK to maintain system stealth.
- Harden web applications to defend against the exploited vulnerabilities likely used for initial access.