- ESET discovers a new piece of malware called WolfsBane
- This malware has a dropper, a launcher and a backdoor
- It is used by a group known as Gelsemium
Chinese hackers have built new all-in-one malware to target Linux devices, according to a new report from cybersecurity researchers ESEThave said.
The WolfsBane malware features a dropper, launcher, a backdoor, and a custom open-source rootkit to evade detection. While not completely bizarre, the approach is quite unconventional, as most hacking groups will only develop one of these features and use others’ solutions for the rest.
That said, WolfsBane’s most important ability is to give its operators full control over the compromised system. It can execute commands coming in from the C2 server, exfiltrate data, and ultimately manipulate the system.
Gelsemium is active
ESET is unsure how the attackers gained access to the target systems to deploy the malware, but assesses “with medium confidence” that the group exploited an unknown vulnerability in the web application.
The group in this case is called Gelsemium, which indicates that there is at least one herbalist in its ranks. It is a relatively well-known Chinese group, active since at least 2014. It mainly targets government institutions, educational organizations, electronics manufacturers and religious institutions. The majority of victims are in East Asia and the Middle East.
ESET also suggests that the group has decided to focus on Linux as Windows defenses have continued to improve recently.
“The trend of APT groups targeting Linux malware is becoming increasingly apparent,” ESET said.
“We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft’s decision to make Visual Basic for Applications (VBA) macros standard to switch off. As a result, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in Internet-facing systems, most of which run on Linux.”
Via BleepingComputer