Image: Bermix Studio (unsplash)
A subtle yet potent threat known as Gelsemium was identified while targeting a government in Southeast Asia over a period of six months from 2022 to 2023.
Historically, Gelsemium has been an active espionage group since 2014. Their activities primarily focus on institutions in sectors such as governance, education, and electronics manufacturing, especially within East Asia and the Middle East regions.
ESET, in their 2021 analysis, described this threat entity as “discreet,” emphasizing their significant technological prowess and programming expertise which enabled them to operate undetected over long durations.
More insights emerged from a study conducted by Palo Alto Network’s Unit 42, which detailed Gelsemium’s contemporary operations. These new findings linked the group to unique backdoors, suggesting a medium confidence in their connection to the specific threat actors.
Gelsemium’s Recent Endeavors
Their modus operandi began with compromising their target by deploying web shells, possibly exploiting weak points in exposed servers.
In their analysis, Unit 42 pinpointed the usage of ‘reGeorg,’ ‘China Chopper,’ and ‘AspxSpy’ web shells. These are readily available tools, employed by various threat entities, thereby complicating the task of tracing the origin.
Having established a foothold through these web shells, the group then delved deeper into the network, employed the SMB protocol for lateral movement, and retrieved supplementary payloads.
To aid in their operations, such as lateral movement, data extraction, and elevation of privileges, the group utilized tools like OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm.
Among these, Cobalt Strike stands out as a popular penetration testing software. Meanwhile, EarthWorm offers SOCKS tunneling functionalities, and SpoolFool is an open-source tool meant for escalating privileges locally. Notably, none of these are exclusively associated with Gelsemium.
Yet, OwlProxy does hold an association with the group. Described as a distinctive HTTP proxy and backdoor tool, its usage was reported by Unit 42 in a prior assault against the Taiwanese authorities.
In their recent endeavors, the group unleashed an executable which lodged an integrated DLL (wmipd.dll) onto the compromised system and initialized a service to operate it. This DLL represents a version of OwlProxy, which sets up an HTTP service scanning for specific URL patterns that contain concealed instructions.
Researchers indicated that the targeted system’s security apparatus thwarted OwlProxy’s functioning, pushing the attackers to fall back on EarthWorm.
Another unique tool attributed to Gelsemium is SessionManager, an IIS backdoor previously associated with the group by Kaspersky. This tool scrutinized incoming HTTP requests, searching for a distinct Cookie attribute containing operational instructions.
These instructions generally entail tasks such as data transfer with the C2 server, initiating commands, starting applications, or establishing proxy connections to additional devices.
Both OwlProxy and SessionManager have capabilities that suggest the group’s aim was to utilize the compromised server as a communication portal to liaise with other systems in the victim’s network.
Unit 42’s wrap-up underscores Gelsemium’s persistence. Despite countermeasures halting some of their tools, the threat entity continually revised their approach, integrating various tools to ensure their mission’s success.