A recent development in the cybersecurity world has shed light on the modification of two well-known Chinese backdoors to target Linux systems. The advanced persistent threat (APT) group known as “Gelsemium” has been in operation for over a decade, with new malware variants like Wolfsbane and Firewood emerging with ties back to 2005. Initially focused on gathering information from Windows systems, Gelsemium has now adapted its tools to effectively target Linux environments as well.
According to experts like Jason Soroko, a senior fellow at Sectigo, this shift towards Linux-based malware is part of a broader trend in the cybersecurity landscape. As organizations increasingly rely on Linux for their server infrastructure, both on-premises and in the cloud, adversaries are developing cross-platform malware to maximize their impact and reach across different systems.
The emergence of the Wolfsbane and Firewood backdoors has raised concerns among cybersecurity professionals. The first public sample of Wolfsbane was uploaded to VirusTotal in March 2023, originating from various locations like Taiwan, the Philippines, and Singapore. Analysis of the malware has revealed connections to Gelsevirine, a known Windows backdoor associated with the Gelsemium group. Wolfsbane, essentially a Linux port of Gelsevirine, includes a modified Unix RootKit to conceal its malicious activities.
Firewood, another Linux-ported backdoor, features a kernel-level rootkit and appears to be an evolution of the “Project Wood” backdoor lineage, dating back to 2005. While not definitively linked to Gelsemium, Firewood showcases the ongoing evolution and sophistication of malware targeting Linux systems.
The surge in Linux-based cyber threats has been a notable trend in recent years. Reports from security vendors have highlighted significant year-over-year increases in Linux attacks since 2020, surpassing the threat landscape of macOS and closely resembling that of Windows in terms of attack volume. Elastic Security’s annual reports have underscored the growing vulnerability of Linux-based devices, with an increasing number of endpoint attacks targeting these systems.
Jake King, Elastic’s head of threat and security intelligence, noted that around 32% of malware infections in the past year targeted Linux systems, signaling a concerning trend towards more sophisticated attacks on these platforms. The discovery of backdoors like XZ/Liblzma further emphasizes the adversary’s intent to compromise Linux hosts for various purposes, including supply chain compromises.
The reasons behind the rising threats to Linux systems are multifaceted. It could be attributed to the growing adoption of Linux in enterprise environments, the improving security of Windows systems leading adversaries to target alternative platforms, or advancements in security tooling and telemetry for Linux hosts. Adversaries are increasingly bypassing native or third-party security tools to evade detection, highlighting the need for enhanced security measures to defend against evolving cyber threats.
In conclusion, the evolving landscape of cyber threats targeting Linux systems underscores the importance of robust cybersecurity practices and continuous monitoring to safeguard critical infrastructure and sensitive data from malicious actors. As adversaries adapt and innovate, organizations must stay vigilant and proactive in defending against emerging threats in the ever-changing cybersecurity landscape.