A new Linux backdoor named WolfsBane has been recently uncovered by the ESET researchers, attributed to the Gelsemium advanced persistent threat (APT) group.
This discovery marks the first public report of Gelsemium using Linux malware, signaling a shift in their operational strategy.
WolfsBane is identified as the Linux counterpart of Gelsevirine, a known Windows malware used by Gelsemium.
The malware’s primary goal is cyberespionage, targeting sensitive data such as system information, user credentials, and specific files and directories.
It is designed to maintain persistent access and execute commands stealthily, enabling prolonged intelligence gathering while evading detection.
Key Features of WolfsBane:-
- Custom libraries for network communication
- Sophisticated command execution mechanism
- Similar configuration structure to its Windows counterpart
- Use of previously known Gelsemium-associated domains
Alongside WolfsBane, researchers discovered another Linux backdoor named FireWood. While its connection to Gelsemium is less certain, it shares similarities with the group’s Project Wood malware.
FireWood’s attribution to Gelsemium is made with low confidence, considering it could be a tool shared among multiple China-aligned APT groups.
Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar
Attack Chain
The WolfsBane attack chain consists of three stages:
- Dropper: Disguised as a legitimate command scheduling tool, it places the launcher and backdoor in hidden directories.
- Launcher: Maintains persistence and initiates the backdoor.
- Backdoor: Loads embedded libraries for main functionalities and network communication.
.webp)
WolfsBane uses a modified open-source BEURK userland rootkit to hide its activities, hooking basic standard C library functions to filter out results related to the malware.
This discovery highlights a growing trend among APT groups to focus on Linux malware. This shift is attributed to:
- Improvements in Windows email and endpoint security
- Widespread use of endpoint detection and response (EDR) tools
- Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default
As a result, threat actors are increasingly targeting vulnerabilities in internet-facing systems, many of which run on Linux.
The emergence of WolfsBane and FireWood represents a significant evolution in Gelsemium’s tactics and the broader APT landscape.
As Linux systems become more attractive targets, organizations must adapt their security strategies to protect against these emerging threats.
This development underscores the need for comprehensive security measures across all operating systems and emphasizes the importance of staying vigilant against evolving cyber threats.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free