Unveiling Gelsemium’s (毒狼草) Linux backdoor WolfsBane

 

Back to Dec 19, 2024, I noted that ESET researchers analyzed previously unknown Linux backdoors (Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine).

I was attracted by the part of the WolfsBane backdoor, stored in a file named udevd, which embedded libMainPlugin. so, libUdp.so and libHttps.so.

I tried to extract those above three so files, and now let’s do it.

We need the malware sample named udevd, the hash sha1 0AB53321BB9699D354A032259423175C08FEC1A4.

Which came from the first archive, the hash sha1 f1df0c5a74c9885cb5934e3eee5e7d3cf4d291c0

udevd is an ELF file.

And search. so can see the above three so file module: libMainPlugin.so, libUdp.so, and libHttps.so

Let’s debug udevd with dbg, be patient, and finally jump here.

Yeah, we note that the key function is memcpy and the EmbeddedResource, which did deserialize the input archive and copy them to memory.

We just need to dump the three so files from memory.

First: find out the start address and how many bytes they are.

Second: write a Python script to dump as the following

Finally, we can successfully get libMainPlugin. so, libUdp.so and libHttps.so

The backdoor encrypts the libMainPlugin.So the library using the RC4 algorithm saves it to <work_directory>/X1l/data/gphoto2.

libUdp.so and libHttps.so provide C&C communications via UDP and HTTPS protocols.

 

End.