Area
Malware reports
Parent threat
Command and Control, Execution, Persistence, Defense Evasion, Privilege Escalation, Collection
Finding
https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/
attack:T1036:Masquerading
attack:T1562.001:Disable or Modify Tools
attack:T1543.002:Systemd Service
attack:T1037:Boot or Logon Initialization Scripts
attack:T1037.004:RC Scripts
attack:T1574.006:Dynamic Linker Hijacking
attack:T1027.013:Encrypted/Encoded File
attack:T1547.006:Kernel Modules and Extensions
attack:T1204.002:Malicious File
attack:T1521.001:Symmetric Cryptography
attack:T1547.013:XDG Autostart Entries
attack:T1546.004:.bash_profile and .bashrc
attack: T1548.001:Setuid and Setgid
attack:T1027.009:Embedded Payloads
attack:T1222.002: Linux and Mac File and Directory Permissions Modification
attack:T1070.004:File Deletion
attack:T1070.009:Clear Persistence
attack:T1564.001:Hidden Files and Directories
attack:T1056:Input Capture
uses:RedirectionToNull
uses:TEAEncryption
Industry reference
Gelsemium
BEURK
FireWood
Malware reference
WolfsBane
wltm
Actor reference
No response
Component
Linux
Scenario
Internal enterprise services
Area
Malware reports
Parent threat
Command and Control, Execution, Persistence, Defense Evasion, Privilege Escalation, Collection
Finding
https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/
attack:T1036:Masquerading
attack:T1562.001:Disable or Modify Tools
attack:T1543.002:Systemd Service
attack:T1037:Boot or Logon Initialization Scripts
attack:T1037.004:RC Scripts
attack:T1574.006:Dynamic Linker Hijacking
attack:T1027.013:Encrypted/Encoded File
attack:T1547.006:Kernel Modules and Extensions
attack:T1204.002:Malicious File
attack:T1521.001:Symmetric Cryptography
attack:T1547.013:XDG Autostart Entries
attack:T1546.004:.bash_profile and .bashrc
attack: T1548.001:Setuid and Setgid
attack:T1027.009:Embedded Payloads
attack:T1222.002: Linux and Mac File and Directory Permissions Modification
attack:T1070.004:File Deletion
attack:T1070.009:Clear Persistence
attack:T1564.001:Hidden Files and Directories
attack:T1056:Input Capture
uses:RedirectionToNull
uses:TEAEncryption
Industry reference
Gelsemium
BEURK
FireWood
Malware reference
WolfsBane
wltm
Actor reference
No response
Component
Linux
Scenario
Internal enterprise services