Seems like their malware relies on a couple of things:

- intended target is KDE and GNOME

- privilege escalation through LD_PRELOAD hooking from userland via open, stat, readdir access (of any other program that the user executes, see down below)

- persistence through display manager config for KDE

- persistence through desktop autostart files for GNOME

- fallback persistence through .bashrc, profile or profile.sh in /etc

- installs trojanized ssh client version

- installs a JSP webshell

- sideloads kernel module as libselinux.so and .ko module. Probably the rootkit helpers to access them from userland

Despite the snarky comments in here, this malware is actually quite sophisticated.

If you don't agree, I challenge you now to measure the time it takes for you to find all .so files on your system that are loaded right now, and have been modified since your package manager installed them.

My point being that there is no EDR on Linux that catches this (apart from ours that's WIP), because all existing tools are just checking for windows malware hashes (not even symbols) as they're intended for linux fileservers.

These things always get really cool names, like "Wolfsbane" and "firewood". makes me want to make some malware to see what cool name security researchers give it lol

For signs of the analyzed version, there's this file:

/lib/systemd/system/display-managerd.service

And a process called "kde".

If I am skimming this correctly, this is a C&C client allowing remote control over the network, and uses "a rootkit" for further compromise once it somehow gets installed?

I understand the value of in-depth security reports, but the 5th time they told me "WolfsBane is the Linux counterpart of Gelsevirine, while FireWood is connected to Project Wood." I was wondering when I'd get to the meat and potatoes.

> The FireWood backdoor, in a file named dbus, is the Linux OS continuation of the Project Wood malware... > The analyzed code suggests that the file usbdev.ko is a kernel driver module working as a rootkit to hide processes.

Where is the backdoor coming from? If there's a backdoor, something is backdoored. An unknown exploit installing a rootkit and using a modified file, like usbdev.ko, is not a backdoor.

Which pakage / OS ships with the backdoor?

Or doesn't the author of TFA know the definition of a backdoor? Or is it me? I mean, to me the XZ utils exploit attempt was a backdoor (for example). But I see nothing here indicating the exploit they're talking about is a backdoor.

It reads like they classify anything opening ports and trying to evade detection as "backdoors".

Am I going nuts?