Beware the Wolf- WolfsBane Marks Its Linux Territory

by | Nov 22, 2024 | Cybersecurity

Like a predator adapting to new hunting grounds, Gelsemium, long associated with Windows-based malware, has turned its attention to Linux systems

In a significant discovery, ESET researchers have identified WolfsBane, a Linux backdoor attributed to the Gelsemium advanced persistent threat (APT) Chinese group [1].

Here’s a look at WolfsBane: what it is, how it operates, and why it’s the cyber equivalent of the Big Bad Wolf sneaking into Goldilocks’ house—except this time, it’s your Linux system that’s “just right.”

What Is WolfsBane?

WolfsBane is a Linux adaptation of Gelsevirine [4], a Windows backdoor used by Gelsemium. It enables attackers to:

  • Gather system information.
  • Steal credentials and sensitive files.
  • Maintain persistent access.
  • Execute commands while evading detection.

Why Linux?

Linux systems are widely used in servers, internet-facing infrastructure, and cloud environments. With increased defenses on Windows platforms (like endpoint detection tools and VBA macro restrictions), APT groups are turning to Linux as a new attack surface[2].

WolfBane’s Attack Chain

 

 

1. Initial Access

Attackers first gain access to the target system, likely through:

  • Exploiting vulnerabilities in web servers or applications.
  • Uploading malicious web shells (e.g., modified AntSword or Icesword JSP shells).
  • Social engineering tactics like phishing.

 

2. Deployment of the Dropper

The dropper is the initial malware component, disguised as a legitimate file (e.g., cron), designed to:

  • Install the launcher and backdoor in hidden directories like $HOME/.Xl1.
  • Create persistence mechanisms depending on system privileges (e.g., systemd services or .bashrc modifications).
  • Drop additional tools, such as rootkits for hiding activities.

3. Launcher Execution

The launcher, cleverly disguised (e.g., as kde), decrypts and executes the main backdoor payload. It ensures:

  • Configuration parsing.
  • Loading the next stage while remaining stealthy.

4. Backdoor Activation

The WolfsBane backdoor, named udevd, provides full system control to attackers. It:

  • Uses custom libraries for network communication (e.g., libHttps.so).
  • Encrypts configurations and payloads for stealth.
  • Executes commands from its command-and-control (C&C) server.

5. Persistence Mechanisms

WolfsBane ensures it survives system reboots by:

  • Adding itself as a system service (display-managerd.service) in systemd configurations.
  • Modifying startup scripts or using hidden files like /etc/ld.so.preload.

6. Command-and-Control (C&C) Communication

WolfsBane communicates with its C&C server via encrypted channels (using protocols like HTTPS or UDP). This allows attackers to:

  • Send commands for execution.
  • Receive stolen data like credentials and sensitive files.

7. Detection Avoidant – Rootkit Integration 

WolfsBane uses a modified BEURK userland rootkit, loaded via /etc/ld.so.preload, to:

  • Hook system functions (e.g., open, stat) and hide malware files.
  • Avoid detection by system monitoring tools.

The wolf has left its den and entered the Linux domain. Stay vigilant so you don’t become prey! 

Citations:

  1. ESET Research. (2024.). Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine. We Live Security. Retrieved November 22, 2024, from https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/
  2. Kovacs, E. (2024). Chinese Gelsemium hackers use new WolfsBane Linux malware. Bleeping Computer. Retrieved November 22, 2024, from https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/
  3. ESET. (2024). Gelsemium: Malware indicators of compromise. GitHub. Retrieved November 22, 2024, from https://github.com/eset/malware-ioc/tree/master/gelsemium

ESET. (2021). Gelsemium: Old dog, new tricks. [PDF]. Retrieved November 22, 2024, from https://web-assets.esetstatic.com/wls/2021/06/eset_gelsemium.pdf