{ "name": "Unveiling WolfsBane: Linux counterpart to Gelsevirine", "slug": "unveiling-wolfsbane-linux-counterpart-to-gelsevirine", "description": "ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood malware. These tools are designed for cyberespionage, targeting system information, credentials, and specific files. The malware uses sophisticated techniques for persistence, stealth, and command execution. This discovery marks Gelsemium's first known use of Linux malware, indicating a shift in APT tactics towards exploiting vulnerabilities in internet-facing Linux systems.", "published": "2024-11-22T03:49:56+00:00", "created_at": "2024-11-22T03:49:56+00:00", "modified_at": "2024-11-22T08:25:23+00:00", "created_at_opencti": "2024-11-22T03:49:56+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-11-22", "apt", "backdoor", "cyberespionage", "firewood", "gelsevirine", "linux", "persistence", "project wood", "rootkit", "wolfsbane" ], "related_entities": { "observables": [ { "id": "", "name": "210.209.72.180" }, { "id": "", "name": "www.travel.dns04.com" }, { "id": "", "name": "www.sitesafecdn.dynamic-dns.net" }, { "id": "", "name": "rootkit.agent.ec" }, { "id": "", "name": "sitesafecdn.hopto.org" }, { "id": "", "name": "traveltime.hopto.org" }, { "id": "", "name": "pctftp.otzo.com" }, { "id": "", "name": "microsoftservice.dns1.us" }, { "id": "", "name": "domain.dns04.com" }, { "id": "", "name": "info.96html.com" }, { "id": "", "name": "acro.ns1.name" }, { "id": "", "name": "asidomain.com" }, { "id": "", "name": "dsdsei.com" }, { "id": "", "name": "4vw37z.cn" }, { "id": "", "name": "a67ac84f61b34b59827cef79b11709d137cc9490d6027e16279793b9b3e894c4" }, { "id": "", "name": "fe71b66d65d5ff9d03a47197c99081d9ec8d5f6e95143bdc33f5ea2ac0ae5762" }, { "id": "", "name": "fddec9ff14ebd957038f9c24843bff935c4f73651e9704b553dec116851f7ae5" }, { "id": "", "name": "f0d23aa026ae6ba96051401dc2b390ba5c968d55c2a4b31a36e45fb67dfc2e3c" }, { "id": "", "name": "ec491de0e2247f64b753c4ef0c7227ea3548c2f222b547528dae0cf138eca53a" }, { "id": "", "name": "d986207bc108e55f4b110ae208656b415d2c5fcc8f99f98b4b3985e82b9d5e5b" }, { "id": "", "name": "cff20753e36a4c942dc4dab5a91fd621a42330e17a89185a5b7262280bcd9263" }, { "id": "", "name": "c26d239f415bec27125862acafdeac267be398bc9208e27f09217dc8ecf64225" }, { "id": "", "name": "ae1b66e35a4e1ab8870837a52f3e4acda9e722b3f835d238acb472be49e915d6" }, { "id": "", "name": "97982e098a4538d05e78c172c9bbc5b412754df86dc73e760004f0038ec928fb" }, { "id": "", "name": "93c29bf19e09ea3b1e4ac5d31f47024a544738671488ff7ab2cd8f9a9c302262" }, { "id": "", "name": "7795a7f3bd08cb62ec6f828ad1f6836114b3e8cf153d905e3f03d6199f1f8354" }, { "id": "", "name": "6eaeca0cf28e74de6cfd82d29a3c3cc30c2bc153ac811692cc41ee290d766474" }, { "id": "", "name": "6005ecce702b84de6d46838839b2271df631ab42325b70e27324e6cabda76e7f" }, { "id": "", "name": "5d12c085b600ea2ea42d09e2104ac40d8ba2b6d005db06e12c16016200a92bd8" }, { "id": "", "name": "552388d74478a84b8e64e3ee2316331740a0d060f322e92b5c608ea745adba90" }, { "id": "", "name": "5299fe79a66b407555cdab68806564ae988b745be589767b004f7bccd7f7ac3b" }, { "id": "", "name": "46338cae732ee1664aac77d9dce57c4ff8666460c1a51bee49cae44c86e42df9" }, { "id": "", "name": "31d5e55f21246f97da006ddba6306b357d2823c90754a920c7bd268af0d2a1e4" }, { "id": "", "name": "2bab6b951ea0ae3ea9452fd503bacafb45b6687d6352f5415d14810f9cf7a89e" }, { "id": "", "name": "29e78ca3cb49dd2985a29e74cafb1a0a15515670da0f4881f6095fb2926bfefd" }, { "id": "", "name": "1f6de1af513f60572799a0893818e1b694c3ec3ff5dabddc8a0f0aa0d96d15d2" }, { "id": "", "name": "1ec286f2194199206e4ce345f1bf322b6b0b4c947b1cf32db59cca2d89370738" }, { "id": "", "name": "1b6bb9e9612982f9cb55a1c88ae988d362d03fd57748d10b8cbe7acd724055c9" }, { "id": "", "name": "1a9d78e5c255de239fb18b2cf47c4c2298f047073299c27fb54a0edf08a1d5a1" }, { "id": "", "name": "109d4b8878b8c8f3b7015f6b3ae573a6799296becce0f32ca3bd216bee0ab473" }, { "id": "", "name": "00b701e3ef29912c1fcd8c2154c4ae372cfe542cfa54ffcce9fb449883097cec" } ], "malware": [ { "id": "df08c788-c6f5-4253-8d54-158261941eb8", "name": "Project Wood", "slug": "project-wood" }, { "id": "legacy:malware:f8b5abb9030a6fc5", "name": "Gelsemine", "slug": "gelsemine" }, { "id": "legacy:malware:e4bf510e24191bd1", "name": "Gelsenicine", "slug": "gelsenicine" }, { "id": "legacy:malware:6f0745e4a5082583", "name": "Gelsevirine", "slug": "gelsevirine" }, { "id": "legacy:malware:c035a3e959999d0c", "name": "Gelsemium - S0666", "slug": "gelsemium-s0666" }, { "id": "legacy:malware:71b1a48e148f1e34", "name": "FireWood", "slug": "firewood" }, { "id": "legacy:malware:572e5f304187163b", "name": "WolfsBane", "slug": "wolfsbane" } ], "intrusion_sets": [ { "id": "dec6f5a5-a443-40a2-b35e-22ca0a4569e5", "name": "Gelsemium", "slug": "gelsemium" } ], "others": [ { "id": "", "name": "Singapore" }, { "id": "", "name": "Taiwan" }, { "id": "", "name": "Philippines" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/", "https://otx.alienvault.com/pulse/67400d74e667ab8c476122e8" ] }