Gelsemium APT Strikes Again: New Campaign Targets Southeast Asian Government
Posted: 2023-09-25
By: dwirch
Viewed: 278
No attachments for this post
Gelsemium, an advanced persistent threat (APT) group active since 2014, has been identified in a six-month cyber campaign against a Southeast Asian government spanning 2022-2023. Historically, this group has targeted sectors including government, education, and electronic manufacturers across East Asia and the Middle East.
According to a 2021 report by ESET, Gelsemium is known for its "quiet" operations, leveraging high technical prowess to remain undetected for extended periods.
Palo Alto Network's Unit 42 has shed light on Gelsemium's latest tactics. The group has incorporated unique backdoors, with moderate confidence linked to their previous operations.
Gelsemium's initial system compromise is achieved through web shells installation, possibly exploiting server vulnerabilities. These web shells, including 'reGeorg,' 'China Chopper,' and 'AspxSpy,' are readily available and used by various threat groups, making the exact source identification challenging.
After gaining access, Gelsemium conducts network scans, initiates lateral movement using SMB, and fetches added payloads. The tools aiding their operations encompass OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm. Among these, OwlProxy is distinct to Gelsemium, previously utilized in an attack against the Taiwanese government.
The recent Gelsemium attack unveiled an executable deployment that embedded a DLL, known as wmipd.dll, into the compromised system, initiating a service for its operation. This DLL, a version of OwlProxy, monitors HTTP service requests for URL patterns that conceal commands.
Interestingly, when security measures halted OwlProxy, the attackers pivoted to using EarthWorm. The secondary custom implant, SessionManager, is another IIS backdoor associated with Gelsemium, previously highlighted by Kaspersky.
This latest implant scrutinizes incoming HTTP requests, specifically looking for a Cookie field bearing executable commands. The commands range from file transfers, application launches, and proxy connections to other systems.
A notable aspect of both OwlProxy and SessionManager is their proxy functionality, suggesting Gelsemium's strategy to utilize the compromised server as a communication channel with other systems on the targeted network.
Unit 42 concludes by emphasizing Gelsemium's resilience. Despite facing security barriers, the group consistently adapts, deploying various tools to achieve their objectives.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.