If I am skimming this correctly, this is a C&C client allowing remote control over the network, and uses "a rootkit" for further compromise once it somehow gets installed?
I understand the value of in-depth security reports, but the 5th time they told me "WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is connected to Project Wood." I was wondering when I'd get to the meat and potatoes.
So, an aplication started as root it does a lot, if started as a normal user, does less. Sure, any first year CS student can write something like that. Or you can.. well.. install an ssh server or a vnc server or whatever.
How it gets onto the system in the first place is the interesting (and dangerous) part, that sadly gets skimmed over here.
> The FireWood backdoor, in a file named dbus, is the Linux OS continuation of the Project Wood malware...
> The analyzed code suggests that the file usbdev.ko is a kernel driver module working as a rootkit to hide processes.
Where is the backdoor coming from? If there's a backdoor, something is backdoored. An unknown exploit installing a rootkit and using a modified file, like usbdev.ko, is not a backdoor.
Which pakage / OS ships with the backdoor?
Or doesn't the author of TFA know the definition of a backdoor? Or is it me? I mean, to me the XZ utils exploit attempt was a backdoor (for example). But I see nothing here indicating the exploit they're talking about is a backdoor.
It reads like they classify anything opening ports and trying to evade detection as "backdoors".
What's the point of these kinds of articles? Most Linux malware (including this one) are not sophisticated at all, built off of pre-existing rootkit code samples off Github and quite sloppy with leaving files and traces (".Xl1", modifying bashrc, really?). And there's a weird fixation on China here, is it just more anti-China propaganda?
I was under the impression that persistent, but SILENT access was China's goal. Dropping files in home and /tmp/ seems like the total opposite of that and any competent sysadmin would detect these anomalies manually real quick with a simple "ls -a", even possibly by accident.
If I am skimming this correctly, this is a C&C client allowing remote control over the network, and uses "a rootkit" for further compromise once it somehow gets installed?
I understand the value of in-depth security reports, but the 5th time they told me "WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is connected to Project Wood." I was wondering when I'd get to the meat and potatoes.
"once it somehow gets installed?"
The report mentions: "we conclude ... exploited an unknown web application vulnerability ... ."
The chain of events, post initial exploit, is all very well but what was the initial point of entry? The IoCs etc are welcome - thanks.
I thought SQL injection but actually Tomcat ? Might be just an old unpatched server allowing PUTs
I agree it was very wordy
For signs of the analyzed version, there's this file:
/lib/systemd/system/display-managerd.service
And a process called "kde".
So, an aplication started as root it does a lot, if started as a normal user, does less. Sure, any first year CS student can write something like that. Or you can.. well.. install an ssh server or a vnc server or whatever.
How it gets onto the system in the first place is the interesting (and dangerous) part, that sadly gets skimmed over here.
> The FireWood backdoor, in a file named dbus, is the Linux OS continuation of the Project Wood malware... > The analyzed code suggests that the file usbdev.ko is a kernel driver module working as a rootkit to hide processes.
Where is the backdoor coming from? If there's a backdoor, something is backdoored. An unknown exploit installing a rootkit and using a modified file, like usbdev.ko, is not a backdoor.
Which pakage / OS ships with the backdoor?
Or doesn't the author of TFA know the definition of a backdoor? Or is it me? I mean, to me the XZ utils exploit attempt was a backdoor (for example). But I see nothing here indicating the exploit they're talking about is a backdoor.
It reads like they classify anything opening ports and trying to evade detection as "backdoors".
Am I going nuts?
I don't think you're going nuts, but I do think your definition of backdoor is a specific subset.
Fits the usual definition, e.g. from Wikipedia:
> A backdoor is a typically covert method of bypassing normal authentication or encryption
What's the point of these kinds of articles? Most Linux malware (including this one) are not sophisticated at all, built off of pre-existing rootkit code samples off Github and quite sloppy with leaving files and traces (".Xl1", modifying bashrc, really?). And there's a weird fixation on China here, is it just more anti-China propaganda?
Threat actors don't create malware to impress people; they do it to accomplish their goals. Apparently, this sample was sufficient for them.
Security companies attribute activity based on their observations. ESET- a Slovakian company- is no exception.
I was under the impression that persistent, but SILENT access was China's goal. Dropping files in home and /tmp/ seems like the total opposite of that and any competent sysadmin would detect these anomalies manually real quick with a simple "ls -a", even possibly by accident.
Chinese threat actors are not one homogeneous group. Just like every other country out there.