Unveiling WolfsBane: Linux counterpart to Gelsevirine
Nov. 22, 2024, 9:25 a.m.
Tags
External References
Description
ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood malware. These tools are designed for cyberespionage, targeting system information, credentials, and specific files. The malware uses sophisticated techniques for persistence, stealth, and command execution. This discovery marks Gelsemium's first known use of Linux malware, indicating a shift in APT tactics towards exploiting vulnerabilities in internet-facing Linux systems.
Date
Published: Nov. 22, 2024, 4:49 a.m.
Created: Nov. 22, 2024, 4:49 a.m.
Modified: Nov. 22, 2024, 9:25 a.m.
Indicators
a67ac84f61b34b59827cef79b11709d137cc9490d6027e16279793b9b3e894c4
fe71b66d65d5ff9d03a47197c99081d9ec8d5f6e95143bdc33f5ea2ac0ae5762
fddec9ff14ebd957038f9c24843bff935c4f73651e9704b553dec116851f7ae5
f0d23aa026ae6ba96051401dc2b390ba5c968d55c2a4b31a36e45fb67dfc2e3c
ec491de0e2247f64b753c4ef0c7227ea3548c2f222b547528dae0cf138eca53a
d986207bc108e55f4b110ae208656b415d2c5fcc8f99f98b4b3985e82b9d5e5b
cff20753e36a4c942dc4dab5a91fd621a42330e17a89185a5b7262280bcd9263
c26d239f415bec27125862acafdeac267be398bc9208e27f09217dc8ecf64225
ae1b66e35a4e1ab8870837a52f3e4acda9e722b3f835d238acb472be49e915d6
97982e098a4538d05e78c172c9bbc5b412754df86dc73e760004f0038ec928fb
93c29bf19e09ea3b1e4ac5d31f47024a544738671488ff7ab2cd8f9a9c302262
7795a7f3bd08cb62ec6f828ad1f6836114b3e8cf153d905e3f03d6199f1f8354
6eaeca0cf28e74de6cfd82d29a3c3cc30c2bc153ac811692cc41ee290d766474
6005ecce702b84de6d46838839b2271df631ab42325b70e27324e6cabda76e7f
5d12c085b600ea2ea42d09e2104ac40d8ba2b6d005db06e12c16016200a92bd8
552388d74478a84b8e64e3ee2316331740a0d060f322e92b5c608ea745adba90
5299fe79a66b407555cdab68806564ae988b745be589767b004f7bccd7f7ac3b
46338cae732ee1664aac77d9dce57c4ff8666460c1a51bee49cae44c86e42df9
31d5e55f21246f97da006ddba6306b357d2823c90754a920c7bd268af0d2a1e4
2bab6b951ea0ae3ea9452fd503bacafb45b6687d6352f5415d14810f9cf7a89e
29e78ca3cb49dd2985a29e74cafb1a0a15515670da0f4881f6095fb2926bfefd
1f6de1af513f60572799a0893818e1b694c3ec3ff5dabddc8a0f0aa0d96d15d2
1ec286f2194199206e4ce345f1bf322b6b0b4c947b1cf32db59cca2d89370738
1b6bb9e9612982f9cb55a1c88ae988d362d03fd57748d10b8cbe7acd724055c9
1a9d78e5c255de239fb18b2cf47c4c2298f047073299c27fb54a0edf08a1d5a1
109d4b8878b8c8f3b7015f6b3ae573a6799296becce0f32ca3bd216bee0ab473
00b701e3ef29912c1fcd8c2154c4ae372cfe542cfa54ffcce9fb449883097cec
210.209.72.180
www.travel.dns04.com
www.sitesafecdn.dynamic-dns.net
rootkit.agent.ec
sitesafecdn.hopto.org
traveltime.hopto.org
pctftp.otzo.com
microsoftservice.dns1.us
domain.dns04.com
info.96html.com
acro.ns1.name
asidomain.com
dsdsei.com
4vw37z.cn
Attack Patterns
Project Wood
Gelsemine
Gelsenicine
Gelsevirine
Gelsemium - S0666
FireWood
WolfsBane
Gelsemium
Additional Informations
Technology
Government
Singapore
Taiwan
Philippines