Código HTML do Conteúdo
Post: FireWood Malware Targets Linux Systems for Command Execution and Data Theft
<div>
<div>
<p>Intezer’s Research Team has uncovered a new, low-detection variant of the FireWood backdoor, a sophisticated Linux-based remote access trojan (RAT) initially discovered by ESET researchers.</p>
<p>Linked to the “Project Wood” malware lineage dating back to 2005, FireWood is associated with espionage campaigns like Operation TooHash and shows low-confidence ties to the China-aligned Gelsemium APT group, though these overlaps could stem from shared tooling among multiple threat actors. </p>
<h2 id="h-discovery-of-new-variant"><strong>Discovery of New Variant </strong></h2>
<p>The malware deploys kernel-level rootkit modules, such as usbdev.ko, and uses TEA-based encryption for stealthy communication with command-and-control (C2) servers. </p>
<p>Typically introduced via web shells on compromised Linux desktops, it enables attackers to execute arbitrary commands, exfiltrate <a href="https://gbhackers.com/malicious-npm-package-lures-job-seekers/" rel="noreferrer noopener" target="_blank">sensitive data</a> including system details and credentials, and maintain long-term persistence for covert operations. </p>
<p>The new variant retains core functionalities but introduces refinements in implementation and configuration, enhancing its evasion and operational efficiency without altering the fundamental protocol.</p>
<p>In the updated FireWood variant, significant changes streamline the startup sequence and evasion tactics. </p>
<p>Unlike the older version, which enforced an explicit permission check via CUser::IsSuc() at execution onset, the new build eliminates this gate, deferring root-or-kernel validations until after daemonization and PID saving. </p>
<p>This is achieved by splitting the former SavePidAndCheckKernel() into discrete steps: an initial SavePid(pid) call, followed by CModuleControl::AutoLoad() and CheckLkmLoad(). </p>
<h2 id="h-technical-enhancements"><strong>Technical Enhancements</strong></h2>
<p>Such separation clarifies the initialization process and bolsters kernel-module-based hiding. </p>
<p>Networking behaviors have also been simplified; the previous multi-stage beaconing with randomized delays and configurable intervals (e.g., days between beacons and delayTime) is replaced by a straightforward while (true) loop. </p>
<p>After a configured startup delay, it repeatedly invokes ConnectToSvr(), with brief sleeps on failures, until success or timeout, prioritizing reliable C2 connectivity over temporal obfuscation. </p>
<p>System information gathering sees a minor upgrade, adding a fallback to /etc/issue.net if /etc/issue is unavailable for <a href="https://gbhackers.com/nmap-7-70-released/" rel="noreferrer noopener" target="_blank">OS detection</a>, while parsing remains consistent. </p>
<p>File path configurations for persistence differ notably: root users now use /etc/udev/rules.d/90-persistent-net.rules and /etc/modprobe.d/usbdev.conf, with non-root paths set to $HOME/.kde4/share/config/kdeglobals and $HOME/.kde4/share/config/kde.conf. </p>
<p>This contrasts with the older variant’s /etc/udev/rules.d/70-persistent-net.rules and /etc/modprobe.d/usb-storage.conf for root, and $HOME/.bashrc for non-root.</p>
<p>Command handling has evolved, with the new variant dropping obsolete IDs like 0x111, 0x113, 0x114 (beacon interval adjustments) and 0x201 (file-read), reflecting the simplified networking. </p>
<p>According to the <a href="https://intezer.com/blog/threat-bulletin-firewood/" rel="noreferrer noopener nofollow" target="_blank">report</a>, Process-hiding shifts to ID 0x202 from 0x112, and HideModule is removed, while a novel SetAutoKillEl (ID 0x160) introduces togglable auto-kill functionality.</p>
<p>Undocumented commands persist, including 0x109 for connection config changes, 0x192 for C2-fetched file execution via CFileControl::FileUp and system calls (differing from 0x185), and 0x195 for exfiltrating files with extensions .v2, .k2, .W2, and drive.C2. </p>
<p>Persistent typos, such as “Destroy” in method names and “Get Memory Faile” in errors, carry over from prior builds. </p>
<p>While the kernel module’s status remains unconfirmed due to collection challenges, these modifications suggest an emphasis on maintainability and adaptability in espionage scenarios.</p>
<h2 id="h-indicators-of-compromise"><strong>Indicators of Compromise</strong></h2>
<figure>
<table>
<thead>
<tr>
<th>Variant</th>
<th>SHA256 Hash</th>
<th>Submission Details</th>
</tr>
</thead>
<tbody>
<tr>
<td>New FireWood Version</td>
<td>898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6</td>
<td>Analyzed by Intezer</td>
</tr>
<tr>
<td>Older Sample (Iran)</td>
<td>4c293309a7541edb89e3ec99c4074584328a21309e75a46d0ddb4373652ee0d6</td>
<td>Submitted February 5, 2025</td>
</tr>
<tr>
<td>Sample (Philippines)</td>
<td>d7be3494b3e1722eb85ee68bf7ea5508aa2d5782392619e078b78af</td>
<td>Submitted May 7, 2022; identical to new variant</td>
</tr>
</tbody>
</table>
</figure>
<p><strong><code>AWS Security Services:10-Point Executive Checklist -<a href="https://underdefense.com/aws-security-services-10-point-executive-checklist/?utm_source=cybersecuritynews.com&utm_medium=online_media&utm_campaign=csn_linkedin_newsletter_aws_sec_check_aug" rel="noreferrer noopener nofollow" target="_blank">Download for Free</a></code></strong></p>
</div></div>