A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese 'Gelsemium' hacking group.ESET security researchers who analyzed WolfsBane report that WolfsBane is a complete malware tool featuring a dropper, launcher, and backdoor, while it also uses a modified open-source rootkit to evade detection.The researchers also discovered 'FireWood,' another Linux malware that appears linked to the 'Project Wood' Windows malware.However, FireWood is more likely a shared tool used by multiple Chinese APT groups rather than an exclusive/private tool created by Gelsemium.ESET says the two malware families, both appearing on VirusTotal over the last year, are part of a broader trend where APT groups increasingly target Linux platforms due to Windows security getting stronger."The trend of APT groups focusing on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft's decision to disable Visual Basic for Applications (VBA) macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux." ESETWolfsBane's stealthy howlWolfsBane is introduced to targets via a dropper named 'cron,' which drops the launcher component disguised as a KDE desktop component.Depending on the privileges it runs with, it disables SELinux, creates system service files, or modifies user configuration files to establish persistence.Source;https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/#Technical%20analysis
The launcher loads the privacy malware component, 'udevd,' which loads three encrypted libraries containing its core functionality and command and control (C2) communication configuration.Finally, a modified version of the BEURK userland rootkit is loaded via '/etc/ld.so.preload' for system-wide hooking to help hide processes, files, and network traffic related to WolfsBane's activities."The WolfsBane Hider rootkit hooks many basic standard C library functions such as open, stat, readdir, and access," explains ESET."While these hooked functions invoke the original ones, they filter out any results related to the WolfsBane malware."WolfsBane's main operation is to execute commands received from the C2 server using predefined command-function mappings, which is the same mechanism as the one used in its Windows counterpart.These commands include file operations, data exfiltration, and system manipulation, giving Gelsemium total control over compromised systems.FireWood overviewThough only loosely linked to Gelsemium, FireWood is another Linux backdoor that could enable versatile, long-term espionage campaigns.Its command execution capabilities enable operators to perform file operations, shell command execution, library loading/unloading, and data exfiltration.ESET identified a file named 'usbdev.ko,' which is suspected of operating as a kernel-level rootkit, providing FireWood with the ability to hide processes.The malware sets its persistence on the host by creating an autostart file (gnome-control.desktop) in '.config/autostart/,' while it can also include commands in this file to execute them automatically on system startup.A comprehensive list of indicators of compromise associated with the two new Linux malware families and Gelsemium's latest campaigns are available on this GitHub repository.https://github.com/eset/malware-ioc/tree/master/gelsemium
what is the initial attack vector?
>>103276994Honestly, I really don't know, what I don know is that SELinux is mostly used by the glowniggers.
>>103276994>manually download the virus executable>chmod +x virus-app>sudo ./virus-app>enter root password
>>103277098Is there a way to defend against this?
But I'm using openpepe with AppArmor
>>103276994Sudo apt install
no an issue in immutable distros
>>103276875>my main drive is Devuan with apparmor enabled, dedicated firejail profiles simlinked to all executables and strict iptables rules plus a separate /tmp partition mounted with nodev, nosuid and noexec (also binded to /var/tmp).Yeah, not my problem.
>>103277485>bindedgood morning saar
>>103277531...fuck me.
>>103277485impressive, very nice
>>103277485>non related question how to start a software? it is not "systemctl" command.
>>103277658try "dinitctl" instead
>>103276875>>103276890tl;dr
>>103277738linux is compromised
>>103276885>KDEhopefully everyone using this trash you get chink nigger virus and DIE
>>103277902Interesting that the article speculates that they target linux systems more because a lot of them are web-facing. But those that are shouldn't have KDE running all that often because that's the opposite of a lightweight server DE right?
>>103277951It only says disguises as KDE. It might show up on a system that doesn't have KDE.Did I read it right? It's just the disguise, not a mechanism.
>>103278370I took it to mean that disguising itself as a KDE plugin of sorts is a way of getting executed in the first place, as an infiltration vector. That requires the system to run KDE. That requires, in conjunction with the condition of being web-facing, a bloated setup because who needs KDE on a server.Either way it seems like a case of download & execute?
>>103278577do you need a kde setup to run a kde app? I have always been a tiling wm fag so I don't remember/know much about kde or gnome shit tbqh
>>103276875>installs steam>nukes desktop environmentthere's your malware lol
>>103277098 its over who could save us?
>>103278605I intuitively assumed it's related to the many auto-loading stuff. Plenty of "community content" that may or may not be secure. I am neither informed nor knowledgeable though. Would make it a little more than >sudo ./virus-app
Guys… ?
>>103278784Doesn't mean much on its own. Begs the question whether non-systemd systems are not affected (again) or it's both implementations
>>103278784chink'd
just stop downloading and running malware as root lil bro.
>>103277746Always was.
>>103278821No
>>103276875>Chinese hackers target Linux with new WolfsBane malwarenot my problem
>>103278885lmao hackers exploited a motherfucking Hardware Backdoor for years on apple siliconhttps://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/#gsc.tab=0
>yet another shitstaind backdoornot my problem
>>103278834stop it!
>>103276885>is a complete malware tool featuring a dropper, launcher, and backdoorBut can it force people to play and win a game of tic-tac-toe before they get control of their machine back? I miss sub7.
>>103278834kek, nice edit
>>103278936Actual proof or just flamebait? Last I checked we definitely run udev too
>>103278968sub7 and early RATs were pure soul kino
>>103278901>iphone
>>103279140What part of APPLE SILICON you didn't understand?
>>103279187>M1 and M2i got the M4 LOLE
>>103279333That got released after the xploit, but seeing how apple keep that Hardware Backdoor in every device, I doubt they remove it, they need to be able to access every device somehow.
tldr tho
>>103279406t. retard zoomer with no attention span, maybe a tiktok video would help you brainless faggots
Who cares, I use mac.
>>103279473based
someone tell me what the attack vectors are im going fucking insane
