ESET researchers have identified multiple samples of two previously unknown Linux backdoors: WolfsBane and FireWood.
The goal of the backdoors and tools discovered is cyberespionage that targets sensitive data such as system information, user credentials, and specific files and directories. These tools are designed to maintain persistent access and execute commands stealthily, enabling prolonged intelligence gathering while evading detection.
WolfsBane execution chain (Source: ESET)
WolfsBane
Researchers discovered the WolfsBane samples at VirusTotal, uploaded from Taiwan, the Philippines, and Singapore, likely originating from an incident response on a compromised server. They attribute it with high confidence to Gelsemium, a China-aligned APT group.
Gelsemium has previously targeted entities in Eastern Asia and the Middle East. This China-aligned threat actor has a known history dating back to 2014. Until now, there have been no public reports of Gelsemium using Linux malware.
WolfsBane is part of a simple loading chain consisting of the dropper, launcher, and backdoor. Part of the analyzed WolfsBane attack chain is also a modified open-source userland rootkit, a type of software that exists in the user space of an operating system and hides its activities.
FireWood
Additionally, ESET Research discovered another Linux backdoor, FireWood. However, ESET cannot definitively link FireWood to other Gelsemium tools, and its presence in the archives analyzed might be coincidental. Thus, ESET attributes FireWood to Gelsemium with low confidence, considering it could be a tool shared among multiple China-aligned APT groups.
FireWood is connected to a backdoor tracked by researchers under the name Project Wood. Researchers traced it back to 2005 and observed it evolving into more sophisticated versions. The backdoor was used previously in Operation TooHash.
The archives ESET analyzed also contain several additional tools – mostly webshells – that permit remote control by an attacker once they are installed on a compromised server, and simple utility tools.
“The most notable samples we found in archives uploaded to VirusTotal are two backdoors resembling known Windows malware used by Gelsemium. WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is connected to Project Wood. We also discovered other tools potentially related to Gelsemium’s activities,” says ESET researcher Viktor Šperka, who analyzed Gelsemium’s latest toolset.
“The trend of APT groups to focus on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response tools and Microsoft’s decision to disable Visual Basic for Applications macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux,” explains Šperka.