A complicated new variant of the FireWood backdoor has emerged, concentrating on Linux programs with enhanced evasion capabilities and streamlined command execution performance.
This newest iteration represents a big evolution of the malware household first found by ESET’s analysis group, which has been linked to the long-running “Challenge Wooden” malware lineage relationship again to no less than 2005.
The FireWood backdoor operates as a distant entry trojan (RAT) particularly designed for Linux environments, using kernel-level rootkit modules and TEA-based encryption to take care of stealth and set up persistent command-and-control communications.
As soon as deployed, sometimes by means of net shells planted on compromised Linux desktops, the malware allows attackers to execute arbitrary instructions, harvest delicate system data and credentials, and conduct extended espionage operations whereas remaining largely undetected.
Intezer researchers recognized this new variant with the SHA256 hash 898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6, noting vital architectural modifications from earlier variations.
The malware maintains low confidence connections to the China-aligned Gelsemium APT group, although these overlaps might mirror shared toolsets throughout a number of risk actors moderately than definitive attribution.
The up to date variant demonstrates notable modifications in its initialization and networking protocols.
Not like earlier variations that applied express permission gates by means of CUser::IsSuc() calls, the brand new iteration removes this early verify solely, as a substitute deferring root-or-kernel validation till after daemonization and PID storage.
This architectural shift splits the previous SavePidAndCheckKernel() perform into discrete elements: an preliminary SavePid(pid) operation adopted by CModuleControl::AutoLoad() and CheckLkmLoad() capabilities.
Enhanced Communication Protocol and System Reconnaissance
The malware’s networking implementation represents a big departure from its predecessor’s advanced timing mechanisms.
New evasion implementation and comparability of primary capabilities (Supply – Intezer)
Whereas older variants employed subtle randomized time-window algorithms with configurable beacon intervals and delay parameters, the brand new model adopts a simplified method utilizing a steady whereas (true) loop construction.
After the configured startup delay, the malware persistently makes an attempt C2 connections by means of ConnectToSvr() calls, implementing transient sleep intervals upon failure till profitable connection institution or timer expiration.
For system reconnaissance, the up to date variant enhances OS detection capabilities by implementing a fallback mechanism.
When the first /and many others/challenge file proves unavailable, the malware routinely makes an attempt to learn distribution data from /and many others/challenge.web, sustaining constant parsing methodologies throughout each sources.
This redundancy ensures dependable system fingerprinting no matter goal configuration variations.
Enhance your SOC and assist your group defend your small business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
