Chinese Hackers Target Linux with WolfsBane Malware

Chinese hackers, specifically the Gelsemium APT (Advanced Persistent Threat) group, are targeting Linux systems with a new, sophisticated backdoor malware named WolfsBane. According to ESET researchers, WolfsBane is a Linux-based port of existing Windows malware used by Gelsemium. This malware toolset includes a dropper, launcher, and backdoor, all while evading detection using a modified open-source rootkit.

WolfsBane is introduced to systems using a dropper called cron, which then installs a launcher component disguised as a KDE desktop component. Once active, it performs the following operations:

Disables SELinux: Disabling security features to bypass restrictions.Establishes Persistence: Creates system service files or modifies user configuration files.Stealth Operations: Loads a modified version of the BEURK userland rootkit to hook system functions and hide traces of the malware.

This stealthy rootkit hooks key system functions, like open, stat, readdir, and access, to filter out any results related to WolfsBane’s activity. This makes detection extremely challenging.

WolfsBane’s core functionality involves executing commands received from its C2 server, enabling:

File Operations: Move, delete, or modify files on the compromised system.Data Exfiltration: Steal sensitive data from the target machine.System Manipulation: Alter system settings and configurations.

These operations mirror the behavior of its Windows counterpart, ensuring Gelsemium has full control over the compromised Linux systems.

In addition to WolfsBane, FireWood is another Linux malware tool believed to be linked to Project Wood, a Windows malware. Though not as closely associated with Gelsemium, FireWood is highly capable of long-term espionage. It can perform operations such as:

File OperationsShell Command ExecutionLibrary Loading/UnloadingData Exfiltration

FireWood also includes a kernel-level rootkit (usbdev.ko) that allows it to hide processes from detection, further strengthening its persistence. This malware sets up autostart files to maintain control over infected systems.

APT groups are increasingly focusing on Linux malware due to stronger security measures in Windows, including the use of Endpoint Detection and Response (EDR) tools and default restrictions like disabling VBA macros. As a result, attackers are now looking to exploit vulnerabilities in internet-facing Linux systems.

ESET researchers emphasize that this shift represents a broader trend where APT groups are turning to Linux-based malware, especially given that many web servers and cloud systems run on Linux.

🔐 Monitor System Logs: Stay vigilant and monitor logs for any unusual activity related to rootkits or backdoors. 🛡️ Apply Security Patches: Regularly update and patch all systems to mitigate the risk of exploits. 🔍 Use Intrusion Detection Systems (IDS): Deploy tools that can detect abnormal behavior or unauthorized file changes. 💻 Penetration Testing: Regular pentests from experts, like Wire Tor, can help identify vulnerabilities in your systems before they’re exploited.

Ensure your Linux systems are safe from emerging threats like WolfsBane and FireWood! Wire Tor is offering 50% off all penetration testing services until December 2, 2024, in celebration of Black Friday and Cyber Monday.

🔒 Protect your Linux servers, workstations, and infrastructure with expert pentest services. Don’t wait — Reach Before Breach with Wire Tor. Book your pentest today!