[BreachExchange] Gelsemium Hacker Group Attack Governments, Universities Using Various Hacking Tools
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Wed Jun 16 11:42:02 EDT 2021
https://gbhackers.com/gelsemium-hacker-group/
The cybersecurity researchers have started analyzing different campaigns
since 2020, however, during the investigation, the experts of the ESET
research team have recently found some details regarding the APT hacking
group named Gelsemium.
This group is believed to be entangled in the supply chain attack that is
targeting the NoxPlayer Android emulator which was revealed earlier this
year.
And the hackers have used a wide range of malware in this attack, which
includes a custom-built implant called Gelsevirine.
Not only this the Gelsemium APT group have been behind various attacks
against different targets that belong from the Middle East and Eastern
Asia, among all the targets the notable one is the BigNox.
Gelsemium elements
At first, the researchers thought that Gelsemium’s whole chain was quite
simple, later they came to know that it had an exhaustive configuration.
However, after a proper investigation, the experts confirmed that the
hackers have implanted the configuration at every stage.
Not only this but to make the attack harder to understand for the
researchers, the hackers have modified on-the-fly settings for the final
payload. The experts have found some elements in this attack and here we
have listed them below:-
- Gelsemine: The dropper
- Gelsenicine: The loader
- Gelsevirine: The main plug-in
Gelsemine: According to the experts, this element is the initial stage of
the attack, which is written in C++ and contains different further stages’
of binaries. However, the size of the droppers keeps increasing, that’s why
the developers use the Zlib library, to diminish the overall size of the
dropper.
Gelsenicine: It has a loader that generally retrieves Gelsevirine that is
the third element and helps it in execution. In this attack, the hackers
have two versions of the loader, but both versions are DLLs.
Gelsevirine: The last element is Gelsevirine, and it is also known as
MainPlugin. However, this last stage has been set up by Gelsenicine, as it
won’t run flawlessly because it needs its arguments subsequently.
Targets
According to the past reports, the APT group Gelsemium has attacked a small
number of targets as it was involved in cyberespionage.
However, in the current attack, the threat actors of this group have
targeted a large number of victims such as governmental institutions,
electronics
manufacturers, universities, and even religious organizations were also
attacked in Eastern Asia and the Middle East.
Tools used
- Operation NightScout
- OwlProxy
- Chrommme
Apart from all these things, the security analysts also came to know that
the attack vectors of this APT hacking group also include phishing emails
along with a malicious attachment in the form of a Microsoft Office
document.
However, this malicious attachment exploits the vulnerability
CVE-2012-0158, which generally enables all kinds of remote code execution.
Moreover, the tool Operation NightScout has affected a small number of
targets in Taiwan, Hong Kong, and Sri Lanka.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210616/5969687c/attachment.html>
More information about the BreachExchange
mailing list