Nov 2, 2021
95 Views
0 0

Gelsemium: When threat actors go gardening

Written by

ESET researchers shed light on new campaigns from the quiet Gelsemium group
In mid-2020, ESET researchers started to analyze multiple campaigns, later attributed to the Gelsemium group, and tracked down the earliest version of the malware going back to 2014. Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities.
Key points in this report:
Gelsemium
The geographical distribution of Gelsemium’s targets can be seen in Figure 1.
Figure 1. Targets’ locations
Gelsemium’s whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand. Behaviors analyzed below are tied to the configuration; as a result, filenames and paths may be different in other samples. Most of the campaigns we observed follow what we describe here.
Figure 2. Overview of the three components’ workflow
Gelsemium’s first stage is a large dropper written in C++ using the Microsoft Foundation Class library (MFC). This stage contains multiple further stages’ binaries. Dropper sizes range from about 400 kB to 700 kB, which is unusual and would be even larger if the eight embedded executables were not compressed. The developers use the zlib library, statically linked, to greatly reduce the overall size. Behind this oversized executable is hidden a complex yet flexible mechanism that is able to drop different stages according to the characteristics of the victim computer, such as bitness (32-bit vs. 64-bit) or privilege (standard user vs. administrator). Almost all stages are compressed, located in the resource section of the PE and mapped into the same component’s memory address space. Figure 3 illustrates all stages in the Gelsemine component.
Figure 3. Gelsemine address space overview
Gelsenicine is a loader that retrieves Gelsevirine and executes it. There are two different versions of the loader – both of them are DLLs; however, they differ in the context where Gelsemine is executed.
For victims with administrator privileges, Gelsemine drops Gelsenicine at C:WindowsSystem32spoolprtprocsx64winprint.dll (user-mode DLL for print processor) that is then automatically loaded by the spoolsv Windows service. To write a file under the %WINDIR%/system32 directory, administrator privileges are mandatory; hence the requirement previously mentioned.
Users with standard privileges compromised by Gelsemine drop Gelsenicine under a different directory that does not require administrator privileges. The DLL chrome_elf.dll is dropped under %CommonAppData%/Google/Chrome/Application/Library/.
Gelsevirine is the last stage of the chain and it is called MainPlugin by its developers, according to the DLL name and also PDB path found in old samples (Z:z_codeQ1ClientWin32ReleaseMainPlugin.pdb). It’s also worth mentioning that if defenders manage to obtain this last stage alone, it won’t run flawlessly since it requires its arguments to have been set up by Gelsenicine.
The config used by Gelsenicine contains a field named controller_version that we believe is the versioning used by the operators for this main plug-in. Figure 4 provides a timeline of the different versions we have observed in the wild; the dates are approximate.
Figure 4. Gelsevirine version timeline
During our investigation we encountered some interesting malware described in the following sections.
The Gelsemium biome is very interesting: it shows few victims (according to our telemetry) with a vast number of adaptable components. The plug-in system shows that its developers have deep C++ knowledge. Small similarities with known malware tools shed light on interesting, possible overlaps with other groups and past activities. We hope that this research will drive other researchers to publish about the group and reveal more roots related to this malware biosphere.
A full and comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white paper and in our GitHub repository.
For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.

To learn more about how threat intelligence services can enhance the cybersecurity posture of your organization, visit the ESET Threat Intelligence page.

source

Article Categories:
Malware

Comments are closed.