Deluxe company -

ESET Uncovers New Linux Malware: What You Need to Know 

November 29, 2024
Linux Malware
Deluxe company -

ESET Uncovers New Linux Malware

ESET has recently uncovered a new type of malware targeting the Linux operating system, named WolfsBane(Linux Malware), which has been linked to a group known as Gelsemium. This malware is categorized as an all-in-one solution because it contains a dropper, a launcher, and a backdoor, enabling it to perform multiple functions without needing outside assistance.

WolfsBane includes a dropper identified as cron, which disguises the launcher as a KDE desktop component. It can disable SELinux if required, create necessary system service files, and modify configurations for persistence. Furthermore, it integrates the Hider rootkit, which can intercept various system calls like open, stat, readdir, and access, ultimately allowing its operators to exert control over compromised systems.

What are the key features of WolfsBane?

  1. Multi-Stage Components
    • Dropper (Cron):
      • Disguised as a KDE desktop component, the dropper initializes WolfsBane’s installation.
      • It can disable SELinux, create system service files, and modify configurations to ensure persistence.
    • Launcher:
      • Executes malicious processes while evading detection.
    • Backdoor:
      • Establishes remote access, enabling attackers to control the infected system.
  2. Rootkit Integration (Hider)
    • WolfsBane incorporates a rootkit named Hider, capable of intercepting system calls such as open, stat, readdir, and access. This allows attackers to manipulate file operations and conceal their activities.
  3. FireWood Backdoor
    • Discovered alongside WolfsBane, FireWood operates within a kernel driver module (usbdev.ko).
    • It utilizes an encrypted configuration file (kdeinit) to rename its processes, further masking its presence.

While ESET has not definitively identified how the attackers are deploying this malware, they suspect it exploits a previously unknown web application vulnerability. WolfsBane’s primary targets seem to be located in East Asia and the Middle East. The threats from Gelsemium are ongoing, having been active since 2014.

In conjunction with WolfsBane, another backdoor named FireWood has also been discovered within a kernel driver module called usbdev.ko. FireWood operates as a rootkit to conceal processes and utilizes an encrypted configuration file named kdeinit, which allows it to rename its processes based on the contents of that file.

ESET has indicated that while they are still piecing together the full picture, the presence of multiple webshells and tactical patterns resembling past operations of the Gelsemium group suggests a serious threat environment, warranting attention from Linux users and administrators in Linux Malware.

For further details, you can read ESET’s analysis here.


ColoCrossing excels in providing enterprise Colocation Services, Dedicated Servers, VPS, and a variety of Managed Solutions, operating from 8 data center locations nationwide. We cater to the diverse needs of businesses of any size, offering tailored solutions for your unique requirements. With our unwavering commitment to reliability, security, and performance, we ensure a seamless hosting experience.

For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@colocrossing.com.

Deluxe company - 

 


Samantha Rattner
Samantha Rattner

Introducing our expert author with a wealth of knowledge in VPS Hosting, Dedicated Servers, and Colocation. With years of experience, she's your go-to source for cutting-edge insights on optimizing your hosting infrastructure. Unlock the potential of your digital presence with her in-depth articles and expert advice, as she guides you through the intricacies of VPS hosting, dedicated servers, and colocation solutions. Stay ahead in the ever-evolving world of web hosting with her valuable expertise.