Full Report
ESET researchers have identified two Linux backdoors, WolfsBane and FireWood, linked to the China-aligned Gelsemium APT group. WolfsBane is the Linux counterpart of Gelsevirine, a Windows backdoor, and is attributed to Gelsemium with high confidence due to shared features like...
Analysis Summary
# Threat Actor: Gelsemium
## Attribution & Identity
* **Actor Identification:** Gelsemium APT group.
* **Known Aliases and Associated Groups:** China-aligned APT group. The report links WolfsBane to Gelsevirine (a known Windows backdoor from this group). Connection to FireWood is lower confidence, suggesting potential overlap with Project Wood.
## Activity Summary
* **Recent Campaigns and Operations:** ESET researchers identified the introduction of new Linux backdoors, WolfsBane and FireWood, representing Gelsemium's first known use of Linux malware. This suggests an adaptation to evolving security postures, particularly in Windows environments.
* **Historical Context (Inferred):** Previously active with Windows malware (Gelsevirine, Project Wood).
## Tactics, Techniques & Procedures
* **Observed Techniques:** Webshell deployment; Create SSH backdoor; Use of kernel modules for process hiding (FireWood).
* **Malware Execution/Structure:** WolfsBane uses a dropper, launcher, and backdoor execution chain.
* **Communication:** FireWood uses TEA-encrypted C&C communications.
* **Persistence/Access:** Maintenance of persistent access via backdoors and the use of rootkits.
## Targeting
* **Sectors:** Sensitive data environments (implied by the need for cyberespionage tools).
* **Geography:** Samples discovered during incident responses primarily associated with **East Asia**, with VirusTotal uploads originating from **Taiwan, the Philippines, and Singapore.**
* **Victims:** Not specifically named, but focused on environments containing sensitive data.
## Tools & Infrastructure
* **Malware Families Used:**
* **WolfsBane:** Linux backdoor, counterpart to Windows Gelsevirine.
* **FireWood:** Linux backdoor, potentially related to Project Wood.
* Other tools included web shells and rootkits.
* **Infrastructure:**
* Customized SSH client (trojanized).
* TEA-encrypted C&C communications (FireWood).
* *No specific domains or IPs were provided in the context.*
## Implications
* **Strategic Shift:** The adoption of dedicated Linux malware (WolfsBane and FireWood) signals Gelsemium's broadening focus beyond Windows systems, likely in response to increased security hardening on that platform.
* **Objective:** The primary motivation appears to be long-term **cyberespionage** and **data exfiltration**.
## Mitigations
* Implement enhanced detection and response capabilities for Linux endpoints, specifically monitoring for kernel module loading and unusual SSH activity.
* Monitor for unknown or custom-encrypted network traffic patterns indicative of suspected C&C communications.
* Harden SSH configurations and monitor for unauthorized access or persistence mechanisms like trojanized clients used for creating backdoors.