Linux System is Targeted by Chinese ATP Group Malware Tool “WolfsBane and FireWood”

Chinese ATPs hit Linux
Nov 25, 2024 Reading time : 2 min
WolfsBane attacking system

ESET researchers analyzed a new Linux backdoor, which they named “WolfsBane” and believed that the Chinese ‘Gelsemium’ hacking group targeted Linux with this Windows malware.

Additionally, the researchers unveiled another Linux malware called ‘FireWood,’ which linked to Project Wood Windows malware. 

The two malware are designed for cyberespionage and target sensitive data including system information, user data, and specific files and manuals. It is considered that FireWood could be a tool shared among various Chinese APT groups.  

ESET researcher, Viktor Šperka said in his blog post:  

“The trend of APT groups focusing on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.”

The following similarities revealed that Linux malware “WolfsBane” is linked to Windows Gelsevirine. It apparently indicates WolfsBane belongs to the Gelsemium APT group. (Cybersecurity news covered these key features)

  • Custom libraries for network communication
  • Comprehensive command execution mechanism
  • Similar configuration structure to its Windows counterpart
  • Use of previously known Gelsemium-associated domains

Furthermore, the researchers attribute FireWood to Project Wood by the following key features.

  • Both use the name conventions of “Wood”
  • Specific file name extensions such as v2 and k2
  • The same TEA encryption algorithm
  • Similar C&C communication strings
  • Both of them have the same Networking code

However, the WolfsBane Windows malware can attack in the Dropper, Launcher, and Backdoor stages. You can find Gelsemium’s latest campaigns available on this GitHub repository.

Vibha Anand
Posted by
Vibha Anand

Business Journalist

Subscribe to our newsletter

Subscribe to our newsletter and get top Tech, Gaming & Streaming latest news, updates and amazing offers delivered directly in your inbox.