A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese 'Gelsemium' hacking gro

Chinese hackers target Linux with new WolfsBane malware

submited by
Style Pass
2024-11-21 22:30:05

A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese 'Gelsemium' hacking group.

ESET security researchers who analyzed WolfsBane report that WolfsBane is a complete malware tool featuring a dropper, launcher, and backdoor, while it also uses a modified open-source rootkit to evade detection.

However, FireWood is more likely a shared tool used by multiple Chinese APT groups rather than an exclusive/private tool created by Gelsemium.

ESET says the two malware families, both appearing on VirusTotal over the last year, are part of a broader trend where APT groups increasingly target Linux platforms due to Windows security getting stronger.

"The trend of APT groups focusing on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft's decision to disable Visual Basic for Applications (VBA) macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux."

WolfsBane is introduced to targets via a dropper named 'cron,' which drops the launcher component disguised as a KDE desktop component.

Leave a Comment