Chinese Hackers Unleash New WolfsBane Malware Targeting Linux, here is what to know.

Introduction

Chinese hackers have developed a new malware called WolfsBane that targets Linux systems. This malware, attributed to the Gelsemium advanced persistent threat (APT) group, represents a significant shift in cyber-attack strategies. Traditionally, Gelsemium focused on Windows systems, but the emergence of WolfsBane highlights a growing trend of targeting Linux platforms.

How WolfsBane Malware Targets Linux Systems

WolfsBane is a sophisticated malware tool that includes a dropper, launcher, and backdoor. The dropper, disguised as a legitimate command scheduling tool, places the launcher and backdoor in hidden directories. The launcher maintains persistence and initiates the backdoor, which loads embedded libraries for its main functionalities and network communication.

Evasion Techniques Used by WolfsBane to Avoid Detection

To evade detection, WolfsBane uses a modified open-source rootkit called BEURK. This rootkit hooks basic standard C library functions to filter out results related to the malware. By doing so, it hides its processes, files, and network traffic, making it difficult for security systems to detect its presence.

Command and Control Methods Employed by WolfsBane

WolfsBane communicates with its command and control (C2) server using predefined command-function mappings. These commands include file operations, data exfiltration, and system manipulation. This mechanism gives Gelsemium total control over compromised systems, allowing them to execute a wide range of malicious activities.

Discovery and Functionality of the FireWood Backdoor

Alongside WolfsBane, researchers discovered another Linux backdoor named FireWood. While its connection to Gelsemium is less certain, it shares similarities with the group’s Project Wood malware. FireWood’s capabilities include file operations, shell command execution, library loading/unloading, and data exfiltration. It also uses a kernel-level rootkit to hide its activities.

Implications of WolfsBane and FireWood for Cybersecurity

The emergence of WolfsBane and FireWood underscores the increasing focus on Linux malware by APT groups. This shift is attributed to improvements in Windows security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default. As a result, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, many of which run on Linux.

Conclusion

The discovery of WolfsBane and FireWood highlights the evolving tactics of cybercriminals and the need for robust security measures across all operating systems. Organizations must adapt their security strategies to protect against these emerging threats, ensuring comprehensive protection for both Windows and Linux environments.

By staying vigilant and adopting advanced security practices, organizations can better defend against sophisticated malware like WolfsBane and FireWood, safeguarding their systems and sensitive data from cyber threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it