Chinese hackers use a new Linux-based WolfsBane malware

November 28, 2024
WolfsBane Malware Chinese Hackers Linux OS APT

The Chinese-speaking hacking group, Gelsemium, has allegedly used the new WolfsBane malware to target Linux devices.

Based on the initial assessment of the malicious payload, it is a comprehensive malware tool that includes a dropper, launcher, backdoor, and modified open-source rootkit to bypass security detection.

However, research has also uncovered Linux malware linked to the Windows spyware Project Wood called FireWood. However, FireWood is more likely a shared tool utilised by several Chinese APT organisations than an exclusive tool developed by Gelsemium.

These two malware families appeared on VirusTotal last year. They are reportedly part of a larger APT group pattern that increasingly targets Linux platforms as Windows security improves.

 

The WolfsBane malware employs a sophisticated infection tactic.

 

According to the investigation, the WolfsBane malware operators present it to targets through a dropper called ‘cron,’ which delivers the launcher module disguised as a KDE desktop component.

Depending on its capabilities, it disables SELinux, generates system service files, or alters user configuration files to ensure persistence. In addition, the launcher loads the privacy malware component ‘udevd,’ which loads three encrypted libraries containing the malware’s primary functionality and C2 communication settings.

Subsequently, a modified version of the BEURK userland rootkit is loaded via ‘/etc/ld.so.preload’ to provide the malware operators with system-wide hooking and help obscure WolfsBane-related processes, files, and network traffic.

The WolfsBane Hider rootkit then hooks numerous basic standard C library functions, including open, stat, readdir, and access. While these hooked routines are called the original ones, they exclude any results connected to the WolfsBane virus.

Furthermore, this new Linux-based malware’s primary job is to execute the commands received from the command-and-control server using predetermined command-function mappings. These commands include file operations, data exfiltration, and system manipulation, providing Gelsemium complete access to infected systems.

While only remotely related to Gelsemium, FireWood is another Linux backdoor that could allow for adaptable, long-term espionage tactics. Its command execution capabilities enable operators to execute file operations, shell commands, and data exfiltration.

The researchers who discovered the malware have generated a complete list of IoCs that they stored on GitHub.

About the author

Leave a Reply