Chinese Hackers Target Linux with New WolfsBane Malware
A new and concerning development in the cybersecurity landscape has emerged with the discovery of “WolfsBane,” a sophisticated Linux backdoor believed to be the handiwork of the Chinese “Gelsemium” hacking group. This malware represents a significant threat, showcasing a clear shift in targeting strategies by advanced persistent threat (APT) groups.
WolfsBane Malware: A Multi-Stage Malware Threat
ESET security researchers, who first analyzed WolfsBane, describe it as a comprehensive malware tool featuring three key components: a dropper, a launcher, and the backdoor itself. The dropper, cleverly named “cron,” disguises the launcher as a seemingly innocuous KDE desktop component. This deceptive tactic allows it to easily infiltrate the target system.
Once executed, the launcher takes center stage, loading the core malware component, “udevd.” This component contains three encrypted libraries holding the malware’s functionality and crucial command and control (C2) communication configuration. This layered approach enhances the malware’s resilience against detection.
Adding another layer of stealth, WolfsBane incorporates a modified version of the BEURK userland rootkit. This rootkit is loaded via /etc/ld.so.preload, enabling system-wide hooking. This clever technique allows WolfsBane to effectively hide its processes, files, and network traffic, making it incredibly difficult to detect.
“The WolfsBane Hider rootkit hooks many basic standard C library functions such as
open,stat,readdir, andaccess,” explains ESET. “While these hooked functions invoke the original ones, they filter out any results related to the WolfsBane malware.”
This intricate design allows WolfsBane to execute commands received from the C2 server, mimicking the same mechanism used in its Windows counterpart. These commands encompass a wide range of malicious activities, including file operations, data exfiltration, and system manipulation, granting Gelsemium complete control over compromised systems. The seamless integration of these components makes WolfsBane a highly effective and stealthy threat.
FireWood: A Shared Tool in the APT Arsenal
While not exclusively linked to Gelsemium, another Linux malware family, “FireWood,” has also been discovered. This backdoor, potentially a shared resource among multiple Chinese APT groups, enables versatile and long-term espionage campaigns. Its capabilities include file operations, shell command execution, library loading/unloading, and data exfiltration.
Adding to its stealth capabilities, FireWood incorporates a suspected kernel-level rootkit, “usbdev.ko,” to further conceal its activities. Persistence is achieved by creating an autostart file (“gnome-control.desktop”) within the “.config/autostart/” directory, ensuring automatic execution upon system startup.
The Shift Towards Linux Targets
ESET researchers highlight a significant trend: APT groups are increasingly targeting Linux platforms. This shift is attributed to enhanced Windows security measures, such as the widespread adoption of endpoint detection and response (EDR) tools and Microsoft’s decision to disable VBA macros by default.
This has forced threat actors to seek alternative attack vectors, with Linux systems, often found in internet-facing infrastructure, becoming a prime target. “The trend of APT groups focusing on Linux malware is becoming more noticeable,” ESET notes. “We believe this shift is due to improvements in Windows email and endpoint security…Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.”
Indicators of Compromise (IOCs)
A comprehensive list of IOCs associated with WolfsBane, FireWood, and Gelsemium’s recent campaigns is available on a dedicated GitHub repository.
The emergence of WolfsBane and FireWood underscores the evolving tactics of APT groups and the increasing importance of robust Linux security. Organizations must remain vigilant, implement strong security measures, and stay updated on the latest threats to protect their systems from these sophisticated attacks. The shift towards Linux as a primary target highlights the need for comprehensive security strategies across all operating systems.
