Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

November 22, 2024
|In Security
|By Security Team

The discovery of WolfsBane and FireWood, Linux malware attributed to the China-aligned APT group Gelsemium, underscores a growing trend of advanced persistent threats expanding their focus to Linux systems. This shift reflects evolving attacker strategies in response to improved defenses in other environments, such as stricter controls on Windows systems.

  1. Malware Overview:
    • WolfsBane: A Linux variant of the long-used Windows backdoor Gelsevirine, operational since 2014. Its purpose includes persistent access, stealthy command execution, and data exfiltration.
    • FireWood: A newly observed implant linked to Project Wood, using the usbdev.ko rootkit for process hiding and command execution. Its attribution to Gelsemium is tentative, as it could be a shared tool.
  2. Target Regions:
    • The malware samples originated from Taiwan, the Philippines, and Singapore, suggesting a focus on East and Southeast Asia.
  3. Infection Pathway:
    • While the exact entry vector remains unknown, an exploited web application vulnerability is suspected. Web shells likely facilitated remote access, allowing the deployment of the WolfsBane backdoor via a dropper.
  4. Techniques:
    • Both malware families incorporate rootkits for stealth:
      • WolfsBane uses a modified open-source BEURK rootkit.
      • FireWood employs a kernel-level rootkit for process hiding.
  5. Strategic Context:
    • The move to Linux systems aligns with broader APT trends as attackers adapt to:
      • Widespread use of Endpoint Detection and Response (EDR) solutions.
      • Microsoft’s default policy of disabling VBA macros, which has disrupted traditional malware delivery.
  6. Objectives:
    • Focused on cyber espionage, the tools aim to exfiltrate sensitive system information, credentials, and targeted files while maintaining prolonged, undetected access.

This escalation highlights the necessity for organizations, particularly those in critical sectors within East and Southeast Asia, to prioritize Linux system security. Mitigation strategies should include:

  • Strengthening web application security to prevent initial exploitation.
  • Deploying endpoint detection tools tailored for Linux environments.
  • Monitoring for unusual network activity or system anomalies that may indicate persistent threats.

Technical Capabilities:

  1. WolfsBane:
    • Utilizes a modified BEURK userland rootkit to hide its activities on infected Linux hosts.
    • Maintains the ability to execute commands issued by an attacker-controlled command-and-control (C2) server.
    • Its userland-based design allows it to avoid detection by less robust Linux endpoint security solutions.
  2. FireWood:
    • Relies on a kernel driver rootkit module (usbdev.ko) for stealth:
      • Hides processes and system artifacts.
      • Executes server-issued commands at a deeper system level, making it harder to detect and remove.
    • Kernel-level operations suggest a more invasive and powerful approach compared to userland rootkits.

Technical Details of WolfsBane and FireWood

  1. WolfsBane
  • Type: Linux backdoor
  • Rootkit Component: Modified version of the open-source BEURK userland rootkit.
  • Capabilities:
    • Process Concealment: Hides its presence by leveraging BEURK’s userland rootkit functionalities, making its activities invisible to users and many traditional monitoring tools.
    • Command Execution: Receives and executes commands from a C2 server, allowing remote attackers to control the infected host.
    • Persistence: Likely employs droppers and web shells for continuous access, suggesting integration with compromised web applications.
  • Delivery Method:
    • The initial infection vector is unknown, but evidence suggests exploitation of an unknown web application vulnerability to deploy web shells, which are then used to install WolfsBane.
  1. FireWood
  • Type: Kernel-level implant
  • Rootkit Component: Kernel driver usbdev.ko.
  • Capabilities:
    • Process Hiding: Conceals malicious processes using its kernel-level rootkit, evading detection by tools that monitor higher layers of the system.
    • Command Execution: Executes attacker-defined commands via C2 communication, potentially with elevated privileges.
    • System Modification: Operates at the kernel level, allowing deeper control and manipulation of the infected system.
  • Functional Advantages:
    • Kernel-level rootkits like usbdev.ko provide greater stealth and resilience against detection compared to userland rootkits.
    • Enables attackers to control critical system operations without leaving traces in user-accessible logs.

Tools:

  • BEURK Userland Rootkit (Modified):
    • Typically used to cloak processes, files, and network connections.
    • WolfsBane’s adaptation likely introduces additional obfuscation or functionality.
  • usbdev.ko Kernel Driver:
    • Exploits its integration into the Linux kernel to bypass typical security measures.
    • Likely features to intercept system calls or tamper with kernel structures for stealth.

Initial Access and Infection Pathway:

  • Suspected Vector:
    • Web application exploitation, enabling deployment of web shells.
    • Web shells act as staging mechanisms to drop WolfsBane or FireWood components.
  • Payload Delivery:
    • Both tools may be deployed via compromised systems acting as a beachhead, leveraging weak application security.

Operational Characteristics:

  • C2 Communication:
    • Both backdoors are designed to connect with an attacker-controlled server, receiving commands for data exfiltration, system manipulation, or reconnaissance.
    • Likely use encrypted or obfuscated protocols to avoid detection.
  • Stealth Features:
    • Rootkits ensure that malicious activities, files, and processes remain hidden from users and monitoring software.
    • Likely paired with techniques to evade forensic analysis (e.g., anti-debugging, anti-sandboxing).

IMPACT

  1. Cyber Espionage
  • Objective: Extract sensitive data, including system information, user credentials, and specific files or directories.
  • Scope: Likely targets governmental, defense, and critical infrastructure sectors in countries like Taiwan, the Philippines, and Singapore.
  1. Persistence and Stealth
  • Techniques: Both malware families use advanced rootkits (BEURK for WolfsBane and usbdev.ko for FireWood) to evade detection.
  • Long-term Access: The malware enables attackers to maintain persistent control over infected systems, posing long-term threats.
  1. Expansion into Linux
  • Platform Shift: Signals an expansion of Gelsemium’s activities into Linux systems, which are increasingly used in enterprise and cloud environments.
  • Trend Reflection: Demonstrates a broader trend among APT groups to adapt to the rising adoption of endpoint detection and hardening on Windows​.
  1. Economic and Security Threat
  • Economic Damage: Stolen intellectual property and disrupted operations could result in financial losses.
  • National Security: Espionage targeting government systems and critical infrastructure poses serious risks.
  1. Technical Challenges
  • Detection Difficulty: Kernel-level rootkits like usbdev.ko allow attackers to operate undetected, making it difficult for standard security tools to identify infections.
  • Remediation Costs: Cleaning systems infected with advanced rootkits often requires a full rebuild, causing operational downtime.

(Indicators of Compromise)IOCs:

Indicators of Compromise (IOCs) for the WolfsBane and FireWood malware used by Gelsemium include artifacts and behaviors that organizations can monitor to detect potential infections. These IOCs were identified in the research and analysis shared by ESET and related cybersecurity studies.

IOCs for WolfsBane

  1. File System Artifacts:
    • Modified system files (e.g., altered .bashrc or /etc/rc.local entries) to establish persistence.
    • Rootkit-related files in suspicious or unexpected locations.
  2. C2 Communication:
    • Hosts communicating with external, attacker-controlled IPs or domains.
    • Use of specific ports and protocols for stealthy data exfiltration and command execution.
  3. Rootkit Indicators:
    • Presence of modified BEURK rootkit binaries.
    • Anomalous behavior in userland processes, such as unexplained spikes in resource use.

IOCs for FireWood

  1. Kernel Module Artifacts:
    • usbdev.ko kernel module, likely loaded at runtime for rootkit activities.
    • Suspicious entries in /lib/modules or similar directories indicating tampering.
  2. Processes and Anomalies:
    • Hidden processes indicating active rootkit concealment.
    • Logs showing unauthorized kernel-level commands executed.
  3. Network Indicators:
    • Communication with hardcoded C2 servers or domains.
    • Traffic patterns resembling encrypted or stealth communication over non-standard protocols.

RECOMMENDATIONS:

To mitigate the risks posed by WolfsBane and FireWood malware, organizations should implement a multi-layered security approach tailored to Linux systems.

  1. Prevent Initial Access
  • Web Application Security:
    • Regularly patch web servers and applications to mitigate vulnerabilities.
    • Conduct periodic penetration testing to identify exploitable weaknesses.
    • Use Web Application Firewalls (WAFs) to block malicious traffic.
  • File and System Monitoring:
    • Deploy intrusion detection systems (IDS) like Snort or Suricata to monitor file and network activity.
    • Track newly introduced files, especially in sensitive directories like /usr and /tmp.
  1. Detect Rootkits
  • Kernel Integrity Checks:
    • Use tools like chkrootkit, rkhunter, and Lynis to scan for rootkits such as BEURK and usbdev.ko.
    • Regularly audit kernel modules and compare them to known safe baselines.
  • Behavioral Monitoring:
    • Detect abnormal system behaviors, like hidden processes or stealthy kernel operations.
  1. Strengthen System Defenses
  • Access Control:
    • Implement least privilege principles for user accounts and processes.
    • Disable unnecessary kernel modules to reduce attack surfaces.
  • Endpoint Detection and Response (EDR):
    • Deploy advanced EDR tools designed for Linux systems (e.g., CrowdStrike Falcon for Linux, Microsoft Defender for Endpoint).
  • Logging and Monitoring:
    • Enable verbose logging for kernel activities.
    • Use centralized log management solutions for real-time analysis (e.g., Elastic Stack).
  1. Secure Communications
  • Network Segmentation:
    • Isolate sensitive systems from internet-facing services to limit the spread of malware.
  • Monitor C2 Traffic:
    • Identify and block suspicious outbound connections to unknown or attacker-controlled domains.
  1. Incident Response Preparedness
  • Backup and Recovery:
    • Maintain regular backups of critical data and configurations, storing them offline.
    • Validate restoration procedures to minimize downtime during incidents.
  • Rapid Containment:
    • Develop response playbooks for malware infections, including steps to isolate infected systems.
  • Threat Intelligence Updates:
    • Subscribe to feeds and updates from organizations like ESET and MITRE to stay informed of new indicators of compromise (IOCs).
  1. Improve Employee Awareness
  • Training:
    • Educate employees on the importance of recognizing phishing attempts and potential malware vectors.
  • Regular Security Drills:
    • Simulate attacks to test and improve incident response capabilities.