[Intel]: https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/ #822
Description
Area
Malware reports
Parent threat
Command and Control, Execution, Persistence, Defense Evasion, Privilege Escalation, Collection
Finding
https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/
attack:T1036:Masquerading
attack:T1562.001:Disable or Modify Tools
attack:T1543.002:Systemd Service
attack:T1037:Boot or Logon Initialization Scripts
attack:T1037.004:RC Scripts
attack:T1574.006:Dynamic Linker Hijacking
attack:T1027.013:Encrypted/Encoded File
attack:T1547.006:Kernel Modules and Extensions
attack:T1204.002:Malicious File
attack:T1521.001:Symmetric Cryptography
attack:T1547.013:XDG Autostart Entries
attack:T1546.004:.bash_profile and .bashrc
attack: T1548.001:Setuid and Setgid
attack:T1027.009:Embedded Payloads
attack:T1222.002: Linux and Mac File and Directory Permissions Modification
attack:T1070.004:File Deletion
attack:T1070.009:Clear Persistence
attack:T1564.001:Hidden Files and Directories
attack:T1056:Input Capture
uses:RedirectionToNull
uses:TEAEncryption
Industry reference
Gelsemium
BEURK
FireWood
Malware reference
WolfsBane
wltm
Actor reference
No response
Component
Linux
Scenario
Internal enterprise services