Cyber Society

In the shadowy realms of cybersecurity, a clandestine menace known as Gelsemium has emerged from the shadows, orchestrating an intricate dance of digital deception that left a Southeast Asian government ensnared in its web for a harrowing six-month stretch spanning the years 2022 to 2023.

The Quiet Predator: Gelsemium's Stealthy Tactics Unveiled

ESET's discerning gaze in 2021 dubbed this nefarious ensemble as the "quiet" predator, shedding light on their formidable technical prowess and coding acumen—a cunning blend that has allowed them to evade detection for years on end. Now, the latest dispatch from Palo Alto Network's Unit 42 unravels the perplexing tapestry of a new Gelsemium campaign, one that employs rarely witnessed backdoors, sowing the seeds of uncertainty with medium confidence.

Infiltrating the Fortresses: Gelsemium's Path to High-Value Targets

Gaining access to Gelsemium's coveted targets unfurled through the installation of web shells, likely courtesy of vulnerabilities in internet-exposed servers. Unit 42's watchful eye discerned the presence of the 'reGeorg,' 'China Chopper,' and 'AspxSpy' web shells, tools that reside in the public domain and enjoy popularity among multiple threat actors, casting a shroud of ambiguity over attribution. Armed with these web shells, Gelsemium embarked on a journey of basic network reconnaissance, sidestepping through SMB pathways, and fetching additional payloads.

Tools of Intrigue: Unveiling Gelsemium's Arsenal

Among the arsenal of supplementary tools, facilitating lateral movement, data exfiltration, and privilege escalation, we find the likes of OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm. Cobalt Strike, a venerable penetration testing suite, EarthWorm, an openly accessible SOCKS tunneler, and SpoolFool, an open-source local privilege escalation utility—these three aren't exclusive to Gelsemium's toolkit.

OwlProxy: The Rare Gem in Gelsemium's Arsenal

However, it is the enigmatic OwlProxy that emerges as a rare gem—a bespoke HTTP proxy and backdoor tool that Gelsemium wielded in a previous incursion targeting the Taiwanese government. In their most recent gambit, the malevolent actors deployed an executable that quietly deposited an embedded DLL (wmipd.dll) onto the compromised system's disk, subsequently summoning a service to breathe life into it.

SessionManager: The IIS Backdoor and Command Gateway

This DLL, a variant of OwlProxy, choreographs an HTTP service that meticulously scrutinizes incoming requests, seeking out specific URL patterns concealing covert commands. Notably, security solutions embedded within the targeted system thwarted OwlProxy's machinations, forcing the assailants to revert to EarthWorm. The second clandestine creation aligned with Gelsemium's arsenal is SessionManager, an IIS backdoor previously traced back to the threat group by Kaspersky in a past chapter of this digital saga.

Covert Commands and Lateral Movement: Gelsemium's Game Plan

The specimen involved in the recent assault diligently scrutinized incoming HTTP requests, homing in on a specific Cookie field harboring commands primed for execution on the host. These commands, ranging from file uploads to and from the C2 server, command execution, application launches, and proxying connections to additional systems, underscore Gelsemium's intention to employ the compromised server as a bridgehead for communication with other nodes on the targeted network.

The Unyielding Spirit of Gelsemium

In closing, Unit 42 pays homage to Gelsemium's indomitable spirit, a force unyielding in the face of adversity. These threat actors prove their mettle by continually introducing a multitude of tools and adapting their strategies with an unwavering resolve, even when the guardians of security thwart some of their nefarious backdoors. Remember, cybersecurity is everyone's responsibility, whether you're a technical expert or a non-technical user. Stay tuned for more updates on staying safe in the digital world.