Gelsevirinie is delivered to the compromised machines by a mid-stage loader named Gelsemicine. Gelsevirinie is the last stage malware module deployed in attacks by the Gelsemium APT (Advanced Persistent Threat) group. The loader exists in two different versions and the one that gets executed depends on whether the infected user has administrative privileges or not. If the victim has the required privileges, Gelsevirine will be dropped under C:\Windows\System32\spool\prtprocs\x64\winprint.dll, otherwise it will be delivered as a DLL named chrome_elf.dll in the CommonAppData/Google/Chrome/Application/Library/ location.
Once deployed on the targeted system, Gelsevirine initiates a complex setup to reach and maintain communication with its Command-and-Control server. First, it relies on an embedded DLL to perform the role of man-in-the-middle. In addition, a separate config is responsible for handling the various protocol types such as tcp, udp, http, and https.
Infosec researchers were able to detect several plug-ins that are fetched and initiated by Gelsevirine, each carrying a different functionality. The FxCoder plug-in is a compression-decompression tool that facilitates C&C communication. Next, there is the Utility plug-in capable of manipulating the file system on the compromised device. The last of the observed plug-ins is Inter - a tool that enables the injection of DLLs into chosen processes.