Unveiling WolfsBane: Linux counterpart to Gelsevirine

Nov. 22, 2024, 9:25 a.m.

Description

ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood malware. These tools are designed for cyberespionage, targeting system information, credentials, and specific files. The malware uses sophisticated techniques for persistence, stealth, and command execution. This discovery marks Gelsemium's first known use of Linux malware, indicating a shift in APT tactics towards exploiting vulnerabilities in internet-facing Linux systems.

External References

https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/
https://otx.alienvault.com/pulse/67400d74e667ab8c476122e8
Tags
linux
backdoor
apt
rootkit
persistence
cyberespionage
2024-11-22
wolfsbane
gelsevirine
project wood
firewood

Date

  • Created: Nov. 22, 2024, 4:49 a.m.
  • Published: Nov. 22, 2024, 4:49 a.m.
  • Modified: Nov. 22, 2024, 9:25 a.m.

Indicators

  • a67ac84f61b34b59827cef79b11709d137cc9490d6027e16279793b9b3e894c4
  • fe71b66d65d5ff9d03a47197c99081d9ec8d5f6e95143bdc33f5ea2ac0ae5762
  • fddec9ff14ebd957038f9c24843bff935c4f73651e9704b553dec116851f7ae5
  • f0d23aa026ae6ba96051401dc2b390ba5c968d55c2a4b31a36e45fb67dfc2e3c
  • ec491de0e2247f64b753c4ef0c7227ea3548c2f222b547528dae0cf138eca53a
  • d986207bc108e55f4b110ae208656b415d2c5fcc8f99f98b4b3985e82b9d5e5b
  • cff20753e36a4c942dc4dab5a91fd621a42330e17a89185a5b7262280bcd9263
  • c26d239f415bec27125862acafdeac267be398bc9208e27f09217dc8ecf64225
  • ae1b66e35a4e1ab8870837a52f3e4acda9e722b3f835d238acb472be49e915d6
  • 97982e098a4538d05e78c172c9bbc5b412754df86dc73e760004f0038ec928fb
  • 93c29bf19e09ea3b1e4ac5d31f47024a544738671488ff7ab2cd8f9a9c302262
  • 7795a7f3bd08cb62ec6f828ad1f6836114b3e8cf153d905e3f03d6199f1f8354
  • 6eaeca0cf28e74de6cfd82d29a3c3cc30c2bc153ac811692cc41ee290d766474
  • 6005ecce702b84de6d46838839b2271df631ab42325b70e27324e6cabda76e7f
  • 5d12c085b600ea2ea42d09e2104ac40d8ba2b6d005db06e12c16016200a92bd8
  • 552388d74478a84b8e64e3ee2316331740a0d060f322e92b5c608ea745adba90
  • 5299fe79a66b407555cdab68806564ae988b745be589767b004f7bccd7f7ac3b
  • 46338cae732ee1664aac77d9dce57c4ff8666460c1a51bee49cae44c86e42df9
  • 31d5e55f21246f97da006ddba6306b357d2823c90754a920c7bd268af0d2a1e4
  • 2bab6b951ea0ae3ea9452fd503bacafb45b6687d6352f5415d14810f9cf7a89e
  • 29e78ca3cb49dd2985a29e74cafb1a0a15515670da0f4881f6095fb2926bfefd
  • 1f6de1af513f60572799a0893818e1b694c3ec3ff5dabddc8a0f0aa0d96d15d2
  • 1ec286f2194199206e4ce345f1bf322b6b0b4c947b1cf32db59cca2d89370738
  • 1b6bb9e9612982f9cb55a1c88ae988d362d03fd57748d10b8cbe7acd724055c9
  • 1a9d78e5c255de239fb18b2cf47c4c2298f047073299c27fb54a0edf08a1d5a1
  • 109d4b8878b8c8f3b7015f6b3ae573a6799296becce0f32ca3bd216bee0ab473
  • 00b701e3ef29912c1fcd8c2154c4ae372cfe542cfa54ffcce9fb449883097cec
  • 210.209.72.180
  • www.travel.dns04.com
  • www.sitesafecdn.dynamic-dns.net
  • rootkit.agent.ec
  • sitesafecdn.hopto.org
  • traveltime.hopto.org
  • pctftp.otzo.com
  • microsoftservice.dns1.us
  • domain.dns04.com
  • info.96html.com
  • acro.ns1.name
  • asidomain.com
  • dsdsei.com
  • 4vw37z.cn
Download all indicators here!

Attack Patterns

  • Project Wood
  • Gelsemine
  • Gelsenicine
  • Gelsevirine
  • Gelsemium - S0666
  • FireWood
  • WolfsBane
  • Gelsemium

Additional Informations

  • Technology
  • Government
  • Singapore
  • Taiwan
  • Philippines