Today > | 4 High | 23 Medium vulnerabilities   -   You can now download lists of IOCs here!

Unveiling WolfsBane: Linux counterpart to Gelsevirine

Nov. 22, 2024, 9:25 a.m.

Description

ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood malware. These tools are designed for cyberespionage, targeting system information, credentials, and specific files. The malware uses sophisticated techniques for persistence, stealth, and command execution. This discovery marks Gelsemium's first known use of Linux malware, indicating a shift in APT tactics towards exploiting vulnerabilities in internet-facing Linux systems.

Date

Published: Nov. 22, 2024, 4:49 a.m.

Created: Nov. 22, 2024, 4:49 a.m.

Modified: Nov. 22, 2024, 9:25 a.m.

Indicators

a67ac84f61b34b59827cef79b11709d137cc9490d6027e16279793b9b3e894c4

fe71b66d65d5ff9d03a47197c99081d9ec8d5f6e95143bdc33f5ea2ac0ae5762

fddec9ff14ebd957038f9c24843bff935c4f73651e9704b553dec116851f7ae5

f0d23aa026ae6ba96051401dc2b390ba5c968d55c2a4b31a36e45fb67dfc2e3c

ec491de0e2247f64b753c4ef0c7227ea3548c2f222b547528dae0cf138eca53a

d986207bc108e55f4b110ae208656b415d2c5fcc8f99f98b4b3985e82b9d5e5b

cff20753e36a4c942dc4dab5a91fd621a42330e17a89185a5b7262280bcd9263

c26d239f415bec27125862acafdeac267be398bc9208e27f09217dc8ecf64225

ae1b66e35a4e1ab8870837a52f3e4acda9e722b3f835d238acb472be49e915d6

97982e098a4538d05e78c172c9bbc5b412754df86dc73e760004f0038ec928fb

93c29bf19e09ea3b1e4ac5d31f47024a544738671488ff7ab2cd8f9a9c302262

7795a7f3bd08cb62ec6f828ad1f6836114b3e8cf153d905e3f03d6199f1f8354

6eaeca0cf28e74de6cfd82d29a3c3cc30c2bc153ac811692cc41ee290d766474

6005ecce702b84de6d46838839b2271df631ab42325b70e27324e6cabda76e7f

5d12c085b600ea2ea42d09e2104ac40d8ba2b6d005db06e12c16016200a92bd8

552388d74478a84b8e64e3ee2316331740a0d060f322e92b5c608ea745adba90

5299fe79a66b407555cdab68806564ae988b745be589767b004f7bccd7f7ac3b

46338cae732ee1664aac77d9dce57c4ff8666460c1a51bee49cae44c86e42df9

31d5e55f21246f97da006ddba6306b357d2823c90754a920c7bd268af0d2a1e4

2bab6b951ea0ae3ea9452fd503bacafb45b6687d6352f5415d14810f9cf7a89e

29e78ca3cb49dd2985a29e74cafb1a0a15515670da0f4881f6095fb2926bfefd

1f6de1af513f60572799a0893818e1b694c3ec3ff5dabddc8a0f0aa0d96d15d2

1ec286f2194199206e4ce345f1bf322b6b0b4c947b1cf32db59cca2d89370738

1b6bb9e9612982f9cb55a1c88ae988d362d03fd57748d10b8cbe7acd724055c9

1a9d78e5c255de239fb18b2cf47c4c2298f047073299c27fb54a0edf08a1d5a1

109d4b8878b8c8f3b7015f6b3ae573a6799296becce0f32ca3bd216bee0ab473

00b701e3ef29912c1fcd8c2154c4ae372cfe542cfa54ffcce9fb449883097cec

210.209.72.180

www.travel.dns04.com

www.sitesafecdn.dynamic-dns.net

rootkit.agent.ec

sitesafecdn.hopto.org

traveltime.hopto.org

pctftp.otzo.com

microsoftservice.dns1.us

domain.dns04.com

info.96html.com

acro.ns1.name

asidomain.com

dsdsei.com

4vw37z.cn

Attack Patterns

Project Wood

Gelsemine

Gelsenicine

Gelsevirine

Gelsemium - S0666

FireWood

WolfsBane

Gelsemium

Additional Informations

Technology

Government

Singapore

Taiwan

Philippines