Full Report
ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, and to Project Wood
Analysis Summary
# Threat Actor: Gelsemium
## Attribution & Identity
* **Primary Identification:** China-aligned Advanced Persistent Threat (APT) group.
* **Known Aliases/Associations:** The name *Gelsemium* originates from a possible translation of the name 狼毒草 found in a report by VenusTech.
* **Associated Malware:** Gelsevirine (Windows backdoor), Gelsemine (dropper), WolfsBane (new Linux counterpart to Gelsevirine).
* **Potentially Associated Malware (Low Confidence):** FireWood, which is connected to Project Wood (used in Operation TooHash).
## Activity Summary
ESET researchers identified samples of previously undocumented Linux backdoors, primarily **WolfsBane**, which are attributed with high confidence to Gelsemium. This marks the first public reporting of Gelsemium utilizing Linux-specific malware. The samples were discovered in archives uploaded to VirusTotal in 2023 originating from Taiwan, the Philippines, and Singapore, likely resulting from incident response efforts on compromised servers. Gelsemium has a history dating back to 2014 and has previously targeted entities in Eastern Asia and the Middle East.
## Tactics, Techniques & Procedures
The discovered tools are designed for cyberespionage to maintain persistent access and stealthily execute commands for intelligence gathering.
* **Persistence & Privilege Escalation:** Abuse of `setuid` and `setgid` mechanisms for maintaining escalated privileges.
* **Defense Evasion:**
* Indicator Removal: File Deletion (WolfsBane dropper removes itself) [T1070.004].
* Indicator Removal: Timestomp (FireWood modifies file MAC times) [T1070.006].
* Indicator Removal: Clear Persistence (WolfsBane dropper removes itself from disk) [T1070.009].
* Hiding Artifacts: Installation in hidden folders [T1564.001].
* File Permissions Modification: Use of `chmod` commands to modify permissions of dropped executables [T1222.002].
* Obfuscation: Payloads are compressed and embedded in the WolfsBane dropper [T1027.009].
* Rootkit: Both WolfsBane and FireWood use associated rootkits for evasion [T1014].
* Masquerading: Malware names often match legitimate files or folders [T1036.005].
* **Discovery:** System Information Discovery (WolfsBane enumerates system details) [T1082] and File and Directory Discovery (FireWood searches the file system) [T1083].
* **Collection:** Input Capture, specifically SSH password stealing to harvest user credentials [T1056].
* **Exfiltration:** Exfiltration Over C2 Channel for collected data (FireWood capability) [T1041].
* **Initial Access Components:** Utilizes droppers and launchers (e.g., Gelsemine dropper equivalent). WolfsBane uses a modified open-source userland rootkit.
## Targeting
* **Sectors:** Not explicitly defined, but the objective is cyberespionage targeting sensitive data.
* **Geography:** Previously targeted **Eastern Asia and the Middle East**. Recent samples analyzed originated from compromised servers in **Taiwan, the Philippines, and Singapore**.
* **Victims:** Entities targeted for **cyberespionage**, focusing on sensitive data such as system information, user credentials, and specific files/directories.
## Tools & Infrastructure
* **Malware Families Used:**
* WolfsBane (New Linux Backdoor)
* FireWood (Linux Backdoor, low confidence association)
* Gelsevirine (Windows counterpart)
* Webshells (based on publicly available code)
* Simple utility tools.
* **Infrastructure (C2, domains, IPs):** No specific domains, IPs, or C2 infrastructure were provided in the summary text, though FireWood utilizes C&C communications for exfiltration.
## Implications
Gelsemium exhibits a notable trend of shifting focus to Linux malware, likely in response to improved Windows security controls (EDR, VBA macro restrictions). This indicates an increased threat against internet-facing systems and infrastructure predominantly running Linux, signaling a proactive adaptation by the actor to maintain their espionage operations. The use of rootkits and known successor malware (WolfsBane/Gelsevirine linkage) suggests a mature and evolving capability focused on long-term intelligence gathering.
## Mitigations
* Enhance monitoring and protection for Linux environments, recognizing the APT focus on internet-facing Linux systems.
* Implement strong application whitelisting and strict file permission controls on Linux servers.
* Monitor for the creation of hidden files/directories and modifications to file permissions indicative of malware deployment or evasion.
* Implement advanced endpoint detection capabilities tailored to Linux to detect rootkit behaviors and unusual system information enumeration.
* Review configurations for SSH access controls to mitigate credential harvesting efforts.