Novel WolfsBane backdoor leveraged in Chinese attacks against Linux systems

BleepingComputer reports that Chinese advanced persistent threat operation Gelsemium has sought to compromise Linux systems with the novel Wolfsbane backdoor.

Attacks with Wolfsbane — which is suspected to be a port of Gelsemium’s Windows malware — commence with the deployment of the ‘cron’ dropper delivering the KDE desktop component-spoofing launcher, which deactivates SELinux and alters user configuration files before triggering the privacy malware component that has file operation, data theft, and system manipulation command support, an analysis from ESET revealed. Also discovered to be leveraged by Gelsemium in targeting Linux systems was the FireWood backdoor, which features shell command execution, file operation, and data exfiltration capabilities. However, such a tool may have been shared with other Chinese APTs. Mounting adoption of endpoint detection and response tools, as well as Microsoft’s default deactivation of Visual Basic for Applications macros may have prompted increased utilization of Linux malware, according to ESET. “Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux,” ESET added.