Threat Bulletin: Fire in the Woods – A New Variant of FireWood

Description

A new, low-detected variant of the FireWood Linux backdoor has been discovered, showing changes in implementation and configuration while maintaining core functionality. This backdoor, linked to the 'Project Wood' malware lineage, operates as a remote access trojan on Linux systems, using kernel-level rootkit modules and TEA-based encryption for stealth and persistence. The new variant modifies the execution process, alters network communication, and updates file paths. It removes some commands and adds others, including a new 'auto-kill' feature. Samples have been found from Iran and the Philippines, indicating a potentially wide distribution. The backdoor has possible connections to the China-aligned Gelsemium APT group, though this association remains uncertain.