Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine
ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, and to Project Wood
by Viktor Sperka
November 21, 2024 ESET WeLiveSecurity
| Notes |
|---|
| ESET |
| security research |
| Linux malware |
| backdoor |
| WolfsBane |
| Gelsemium |
| APT |
| China |
| FireWood |
| VirusTotal |
| Windows |
| Project Wood |
| cyberespionage |
| system information |
| credential harvesting |
| persistence |
| remote command execution |
| intelligence gathering |
| detection evasion |
| EDR |
| APT groups focusing on Linux due to improvements in email filtering and Windows EDR |
| Microsoft |
| Visual Basic Application (VBA) |
| Microsoft disabling VBA macros by default |
| internet-facing |
| dropper |
| Operation TooHash |
| web shell |
| web shell based on publicly available code |
| Taiwan |
| VirusTotal uploaded from Taiwan, Philippines |
| incident response |
| Eastern Asia |
| Middle East |
| launcher |
| attribution |
| malware family |
| rootkit |
| typos as attribution: seesion |
| create_session |
| exported symbol |
| command and control |
| hashes |
| pluginkey |
| controller_version |
| domain usage as attribution: dsdsei[.]com |
| IoC |
| naming conventions as attribution |
| file extensions as attribution |
| TEA encryption algorithm |
| algorithms as attribution |
| XOR |
| XOR key as attribution: 0x26 |
| C2 communication strings as attribution |
| code reuse as attribution |
| Apache Tomcat |
| Java |
| initial access |
| TTP |
| AntSword JSP webshell |
| icesword webshell |
| obfuscation |
| process masquerading (cron) |
| hidden directory $HOME/.Xl1 (lowercase L instead of numeric ‘1’) |
| X Window System |
| cron daemon |
| root user |
| malware checking for software: systemd |
| systemd service unit: /lib/systemd/system/display-managerd.service |
| ExecStart |
| SELinux |
| malware disabling SELinux: change SELINUX entry from “enforcing” to “disabled” |
| bash script |
| rc script persistence: S60dlump |
| unprivileged user |
| Debian |
| .bashrc/.profile persistence: home/www.profile.sh 2>/dev/null |
| WolfsBane Hider rootkit: /usr/lib/libselinux.so |
| LD_PRELOAD, /etc/ld.so.preload |
| process masquerading: kde |
| main_session export |
| WolfsBane backdoor: udevd filename |
| libMainPlugin.so (similar to MainPlugin.dll in Windows version) |
| libUdp.so, libHttps.so – embedded network libraries for malware |
| create_seesion typo |
| backdoor encrypts libMainPlugin.so using RC4 – key stored as “pluginkey” in configuration |
| backdoor has update functionality – if a file exists, it is decrypted and loaded instead of libMainPlugin.so |
| uses modified BEURK userland rootkit |
| rootkit hooks open, stat, readdir, access, … to hide its presence |
| rootkit omits network traffic hiding functionality |
| rootkit hides hard-coded executables udevd and kde |
| FireWood backdoor: filename dbus |
| usbdev.ko kernel module rootkit |
| FireWood communicates with the kernel using Netlink |
| FireWood config file: kdeinit – XOR encrypted with single byte key 0x26 |
| process masquerading as kernel thread: [scsi_eh_7] |
| TEA encryption key: 0x072BA1E6 |
| callback scheduling |
| persistence stored in /.config/autostart/gnome-control.desktop |
| persistence parses files in .config/autostart with .desktop extensions |
| c2 command ID |
| capabilities: download executable and run, execute shell command, reconfigure callback times, hide process, cleanup and exit, list directory contents, exfiltrate files, delete file, rename file, load or unload a LKM, exfiltrate folder, modify timestamp of file, cat file, search for files, … |
| popen |
| system function |
| kernel module |
| SSH password stealer – replaces /usr/bin/ssh with credential logging to /tmp/zijtkldse.tmp |
| privilege escalation – ccc filename – sets UID and GID to 0 and executes a program |
| OpenSSH |
| base64 |
| HTTP POST |
| SQL |
| Unicode |
| randomized function names |
| Samples, IoCs, … |
|---|
| ED5342D9788392C6E854AAEFA655C4D3B4831B6B |
| dsdsei[.]com |
| file extensions: .k2, .v2 |
| https://www.virustotal.com/gui/file/3aa8a5afa686e6b21fcc268760ea1f344560607abe9a3edb3f23d14a6032597b |
| 238C8E8EB7A732D85D8A7F7CA40B261D8AE4183D - login.jsp |
| 9F7790524BD759373AB57EE2AAFA6F5D8BCB918A - yy1.jsp |
| FD601A54BC622C041DF0242662964A7ED31C6B9C - a.jsp |
| asidomain[.]com |
| https://github.com/eset/malware-ioc/tree/master/gelsemium |
| 0FEF89711DA11C550D3914DEBC0E663F5D2FB86C - dbus |
| 44947903B2BC760AC2E736B25574BE33BF7AF40B - libselinux.so |
| 0AB53321BB9699D354A032259423175C08FEC1A4 - udevd |
| 8532ECA04C0F58172D80D8A446AE33907D509377 - kde |
| B2A14E77C96640914399E5F46E1DEC279E7B940F - cron |
| 209C4994A42AF7832F526E09238FB55D5AAB34E5 - ccc |
| F43D4D46BAE9AD963C2EB05EF43E90AA3A5D88E3 - ssh |
| 72DB8D1E3472150C1BE93B68F53F091AACC2234D F1DF0C5A74C9885CB5934E3EEE5E7D3CF4D291C0 - virus.tgz |
| B3DFB40336C2F17EC74051844FFAF65DDB874CFC - virus-b.tgz |
| 600C59733444BC8A5F71D41365368F3002465B10 843D6B0054D066845628E2D5DB95201B20E12CD2 CDBBB6617D8937D17A1A9EF12750BEE1CDDF4562 85528EAC10090AE743BCF102B4AE7007B6468255 - CHINA-APT-Trojan.zip |
| BED9EFB245FAC8CFFF8333AE37AD78CCFB7E2198 - Xl1.zip |