Gelsemium APT Description
Gelsemium is an APT (Advanced Persistence Threat) group that has been active since at least 2014. The hackers have carried out multiple attack campaigns against targets located in East Asia and the Middle East regions predominantly. Among their potential victims are entities from a wide range of different verticals. So far Gelsemium APT's victims include government agencies, electronic manufacturers, religious organizations, as well as several universities.
The Gelsemium APT group establishes a multi-stage attack chain for their operations. After breaching the targeted system, the hackers deploy a dropper malware named Gelsemine. The dropper is unusually large for this malware type but it includes eight embedded executables. The large size is used by Gelsemine to accommodate a sophisticated mechanism that allows the threat actor to modify the behavior of the threat. The Gelsemium APT can adjust the dropper according to the architecture of the compromised victim - either 23-bit or 64-bit, and whether the user has administrator privileges or not.
The next-stage threat is Gelsenicine. Its main task is to retrieve a main module named Gelsevirine and then execute it. The exact behavior of the loader is determined based on several factors. If the victim has admin privileges, Gelsenicine will drop the corrupted DLL of the next-stage malware under C:\Windows\System32\spool\prtprocs\x64\winprint.dll. Without the necessary privileges, the loader will instead drop a chrome_elf.dll in the CommonAppData/Google/Chrome/Application/Library/ location.
Gelsevirine is the main plugin of the Gelsemium attack. It uses a complex setup in its communication with the Command-and-Control (C2, C&C) server. A specific embedded DLL acts as a man-in-the-middle when it comes to establishing contact. In addition, a config is tasked with handling the different protocols - tcp, udp, http, and https. Infosec researchers have observed Gelsevirine retrieve different plug-ins including a compression-decompression module for C&C communication, a plug-to manipulate the file system and one that facilitates the injection of DLLs into select processes.
Additional Gelsemium Connections
Researchers managed to uncover certain links between the Gelsemium APT group and the supply-chain attack against BigNox. The hackers compromised the update mechanism of NoxPlayer, an Android emulator for PCs and Macs.
OwlProxy is a corrupted module that exhibits certain behavior that also has been observed in the Gelsemium malware tools. More specifically, the threats use similar methods to test the Windows version on the compromised system. Another malware backdoor named Chrommme doesn't have the same obvious connections but certain indicators point towards a link with Gelsemium. After all both Chrommme and Gelseverine use the same C&C server as one of the servers employed by the threats. Furthermore, a sample of Chrommme was discovered on a system that was also targeted by Gelsemium.