Warning of new dangerous malware attack campaign targeting Linux

Experts from security firm ESET recently discovered a new Linux backdoor called WolfsBane, which is being used by the China-linked Gelsemium APT hacker group to deploy malicious activities.

Experts from security firm ESET have recently discovered a new Linux backdoor called WolfsBane, which is being used by the China-linked Gelsemium APT hacker group to carry out malicious operations. This is also the first documented case of Gelsemium using Linux malware. The backdoor is designed to steal sensitive data, including system information, user credentials, and specific files and folders.

WolfsBane is actually the Linux version of Gelsevirine, a Windows backdoor that Gelsemium has been using since 2014. The backdoor is delivered using a dropper that masquerades as a 'standard auth' command scheduler. Once executed, the dropper installs the WolfsBane launcher and backdoor on the target system. The launcher is disguised as a KDE desktop component, while the backdoor is hidden as a system service.

The WolfsBane backdoor communicates with the command and control (C&C) server via a custom network protocol. It can run commands, download files, and upload them to the C&C server. WolfsBane can also hide its presence on the system by modifying the system's configuration files.

Warning of new dangerous malware attack campaign targeting Linux Picture 1 Warning of new dangerous malware attack campaign targeting Linux Picture 1

In addition to WolfsBane, ESET researchers have identified another Linux backdoor, called FireWood, that is related to the Project Wood malware. Gelsemium previously used Project Wood as a Windows backdoor. FireWood is the Linux version of Project Wood and is also designed to steal sensitive information from the target system.

Researchers believe the shift to Linux malware is due to improvements in Windows endpoint security. As a result, threat actors are exploring new attack vectors, increasingly focusing on exploiting vulnerabilities in internet-connected systems, most of which run on Linux.

The discovery of WolfsBane and FireWood is a reminder that internet-connected Linux systems are now fundamentally vulnerable. Organizations and businesses must understand the dangers posed by Linux malware and take the necessary security measures to protect their systems. This includes using strong passwords, keeping software up to date, and being cautious when downloading and running specific files.