A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese 'Gelsemium' hacking group.ESET security researchers who analyzed WolfsBane report that WolfsBane is a complete malware tool featuring a dropper, launcher, and backdoor, while it also uses a modified open-source rootkit to evade detection.The researchers also discovered 'FireWood,' another Linux malware that appears linked to the 'Project Wood' Windows malware.However, FireWood is more likely a shared tool used by multiple Chinese APT groups rather than an exclusive/private tool created by Gelsemium.ESET says the two malware families, both appearing on VirusTotal over the last year, are part of a broader trend where APT groups increasingly target Linux platforms due to Windows security getting stronger."The trend of APT groups focusing on Linux malware is becoming more noticeable. We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft's decision to disable Visual Basic for Applications (VBA) macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux." ESETWolfsBane's stealthy howlWolfsBane is introduced to targets via a dropper named 'cron,' which drops the launcher component disguised as a KDE desktop component.Depending on the privileges it runs with, it disables SELinux, creates system service files, or modifies user configuration files to establish persistence.Source;https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/#Technical%20analysis
The launcher loads the privacy malware component, 'udevd,' which loads three encrypted libraries containing its core functionality and command and control (C2) communication configuration.Finally, a modified version of the BEURK userland rootkit is loaded via '/etc/ld.so.preload' for system-wide hooking to help hide processes, files, and network traffic related to WolfsBane's activities."The WolfsBane Hider rootkit hooks many basic standard C library functions such as open, stat, readdir, and access," explains ESET."While these hooked functions invoke the original ones, they filter out any results related to the WolfsBane malware."WolfsBane's main operation is to execute commands received from the C2 server using predefined command-function mappings, which is the same mechanism as the one used in its Windows counterpart.These commands include file operations, data exfiltration, and system manipulation, giving Gelsemium total control over compromised systems.FireWood overviewThough only loosely linked to Gelsemium, FireWood is another Linux backdoor that could enable versatile, long-term espionage campaigns.Its command execution capabilities enable operators to perform file operations, shell command execution, library loading/unloading, and data exfiltration.ESET identified a file named 'usbdev.ko,' which is suspected of operating as a kernel-level rootkit, providing FireWood with the ability to hide processes.The malware sets its persistence on the host by creating an autostart file (gnome-control.desktop) in '.config/autostart/,' while it can also include commands in this file to execute them automatically on system startup.A comprehensive list of indicators of compromise associated with the two new Linux malware families and Gelsemium's latest campaigns are available on this GitHub repository.https://github.com/eset/malware-ioc/tree/master/gelsemium
what is the initial attack vector?
>>103276994Honestly, I really don't know, what I don know is that SELinux is mostly used by the glowniggers.
>>103276994>manually download the virus executable>chmod +x virus-app>sudo ./virus-app>enter root password
>>103277098Is there a way to defend against this?
But I'm using openpepe with AppArmor
>>103276994Sudo apt install
no an issue in immutable distros
>>103276875>my main drive is Devuan with apparmor enabled, dedicated firejail profiles simlinked to all executables and strict iptables rules plus a separate /tmp partition mounted with nodev, nosuid and noexec (also binded to /var/tmp).Yeah, not my problem.
>>103277485>bindedgood morning saar
>>103277531...fuck me.
>>103277485impressive, very nice
>>103277485>non related question how to start a software? it is not "systemctl" command.
>>103277658try "dinitctl" instead
>>103276875>>103276890tl;dr
>>103277738linux is compromised
>>103276885>KDEhopefully everyone using this trash you get chink nigger virus and DIE
>>103277902Interesting that the article speculates that they target linux systems more because a lot of them are web-facing. But those that are shouldn't have KDE running all that often because that's the opposite of a lightweight server DE right?
>>103277951It only says disguises as KDE. It might show up on a system that doesn't have KDE.Did I read it right? It's just the disguise, not a mechanism.
>>103278370I took it to mean that disguising itself as a KDE plugin of sorts is a way of getting executed in the first place, as an infiltration vector. That requires the system to run KDE. That requires, in conjunction with the condition of being web-facing, a bloated setup because who needs KDE on a server.Either way it seems like a case of download & execute?
>>103278577do you need a kde setup to run a kde app? I have always been a tiling wm fag so I don't remember/know much about kde or gnome shit tbqh
>>103276875>installs steam>nukes desktop environmentthere's your malware lol
>>103277098 its over who could save us?
>>103278605I intuitively assumed it's related to the many auto-loading stuff. Plenty of "community content" that may or may not be secure. I am neither informed nor knowledgeable though. Would make it a little more than >sudo ./virus-app
Guys… ?
>>103278784Doesn't mean much on its own. Begs the question whether non-systemd systems are not affected (again) or it's both implementations
>>103278784chink'd
just stop downloading and running malware as root lil bro.
>>103277746Always was.
>>103278821No
>>103276875>Chinese hackers target Linux with new WolfsBane malwarenot my problem
>>103278885lmao hackers exploited a motherfucking Hardware Backdoor for years on apple siliconhttps://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/#gsc.tab=0
>yet another shitstaind backdoornot my problem
>>103278834stop it!
>>103276885>is a complete malware tool featuring a dropper, launcher, and backdoorBut can it force people to play and win a game of tic-tac-toe before they get control of their machine back? I miss sub7.
>>103278834kek, nice edit
>>103278936Actual proof or just flamebait? Last I checked we definitely run udev too
>>103278968sub7 and early RATs were pure soul kino
>>103278901>iphone
>>103279140What part of APPLE SILICON you didn't understand?
>>103279187>M1 and M2i got the M4 LOLE
>>103279333That got released after the xploit, but seeing how apple keep that Hardware Backdoor in every device, I doubt they remove it, they need to be able to access every device somehow.
tldr tho
>>103279406t. retard zoomer with no attention span, maybe a tiktok video would help you brainless faggots
Who cares, I use mac.
>>103279473based
someone tell me what the attack vectors are im going fucking insane
>>103276875There is no perfectly secure OS except maybe TempleOS and others not connected to the internet entirely.>Windows is the most common one and commonly used in Enterprises>Mac is increasing in popularity and so does malware programmed for it, attractive target because its commonly used by people in the creative industry and wealthier consumers>Most servers run on LinuxSince most modern malware makes use of browser vulnerabilities, the best solution is to restrict your browsers access to system resources (like firejailing) as much as possible
>>103280001DO NOT EXECUTE THE VIRUS.BIN
>>103280001you're probably fine if you're not running söystemd
>>103277139
>>103281927forsen
>>103277746what does this mean for the ultra casual usert. wincuck looking to hop the fence but I saw this thread
>>103276875>Chinese hackersJews*
>>103282028You can get pwned by downloading dumb stuff and running it on Linux and WindowsBut people who download dumb stuff and run it on their operating systems don't use Linux
>>103281905meds
>>103282072I already took 2 dinit pills today
>>103282062I'm already somewhat skeptical of the package manager's supposed reliability when it comes to this stuff, but when you say "downloading dumb stuff" would it include stuff from there? Or does this refer to the way people would get malware back in the day by clicking on the wrong Download button?
>>103282062>You can get pwned by downloading dumb stuff and running itDeprecated You can get pwned by visiting a compromised site with embedded malicious code that runs in the backgroundHarden your browser
>>103282133noob here, what are some ways to harden Firefox? Do you mean using Noscript and uBlock? Or is there software for this, such as what you can do with flatpaks?
>>103282062Every linux user I've met believes that since it's linux, there are 0 viruses or no virus works on that OS, so they become even more retarded when it comes to downloading sutff.
>>103282111Why are you skeptical of a package manager? it is way safer than just getting shit off the internet, as long as your repo jannies arent russian or chinese you are good, you can also compile everything from source if you are a schizo, but you would have to read documentation on every update you do for that software because you dont have repo jannies to check if the software has been backdoored or not to fix it for you
>>103282195Maybe stop talking to retards, retard
>>103282179>Noscript and uBlockYes, Noscript does not block Javascript by default because many modern sites (including) 4chan depend on it. Since Java is most commonly targeted for vulnerabilities, disabling Javascript on untrusted sites at least along with iFrames and WebGL already goes a long way.Use those 2 and run Firefox in a Firejail sandbox without access to system resources.
>>103282300Thank you very much. I'll check out Firejail soon. >>103282207When I say skeptical I just mean there's still a trust factor involved. Personally I don't see why it would be safer than a trusted site distributing software, the way some people talk about the package manager it's as if a virus would never be overlooked or make it through somehow, or that it's foolproof. You're right though. Of course I do trust chocolatey and winget so I have no reason to be overly paranoid about using a Linux package manager, but in the context of this thread (the backdoor/exploit) I was just wondering if it was a concern. I would be using the package manager quite a lot in the next few weeks so I just wanted to be sure I wasn't about to make a huge mistake.
>>103282179>>103282300Oh, and under Privacy and Security, set the profile to "strict", enable HTTPS everywhere and use a custom DNS server like 9.9.9.9 or 1.1.1.1 instead of your ISP (DNS over HTTPS).
>>103282300>Since Java is most commonly targeted for vulnerabilities, disabling Javascript on untrusted sitesJava hasn't been targeted for exploitation in a home gamer context since Applets went the way of the Tamil Kings. You don't know what you're talking about.
>>103282416If it wasnt obvious, Java in this context was supposed to refer to Javascript
>>103276890How do I learn more about the way these russians and chinese hackers hide their c2 communication? What do they for establishing the first connection?
>>103282513Nowadays, they often hide behind trusted sources like Amazon AWS or Akamai servers to make it look indistinguishable from normal system traffic
