Elusive Gelsemium Hackers Uncovered in Attack on Asian Government

A highly covert and persistent threat group, known as Gelsemium, has come to light following an extensive cyber attack targeting a Southeast Asian government, spanning a six-month period from 2022 to 2023.

Gelsemium, which has been active since 2014, specializes in cyber espionage and has historically focused its efforts on government entities, educational institutions, and electronic manufacturers in East Asia and the Middle East.

In a 2021 report, ESET described this threat group as “stealthy,” highlighting their remarkable technical prowess and programming acumen, allowing them to remain largely undetected for several years.

A recent report from Palo Alto Networks’ Unit 42 delves into a new Gelsemium campaign, shedding light on rarely seen backdoors associated with these threat actors, albeit with a moderate level of confidence.

The initial compromise by Gelsemium involved the installation of web shells, most likely achieved through the exploitation of vulnerabilities in internet-facing servers.

Unit 42 identified the deployment of ‘reGeorg,’ ‘China Chopper,’ and ‘AspxSpy’ web shells, which are publicly accessible and employed by multiple threat groups, making attribution a challenging task.

Using these web shells, Gelsemium conducted basic network reconnaissance, lateral movement via SMB, and fetched additional payloads.

These additional tools, aiding in lateral movement, data acquisition, and privilege escalation, encompass OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm.

While Cobalt Strike is a widely used penetration testing suite, EarthWorm is a publicly available SOCKS tunneler, and SpoolFool is an open-source local privilege escalation tool, making them not exclusive to Gelsemium.

However, OwlProxy stands out as a unique, custom HTTP proxy and backdoor tool that Unit 42 has previously linked to Gelsemium in an attack targeting the Taiwanese government.

In the latest campaign, the threat actors executed an executable that saved an embedded DLL (wmipd.dll) onto the compromised system’s disk and established a service to run it.

This DLL is a variant of OwlProxy, creating an HTTP service that monitors incoming requests for specific URL patterns concealing commands.

Researchers noted that security products on the targeted system thwarted OwlProxy from running, prompting the attackers to resort to using EarthWorm.

Another custom implant associated with Gelsemium is SessionManager, an IIS backdoor previously linked to the threat group by Kaspersky in the summer of last year.

The sample identified in the recent attack monitored incoming HTTP requests, specifically seeking a particular Cookie field containing commands for execution on the host.

These commands ranged from file uploads/downloads to and from the C2 server, command execution, app launching, and proxying connections to other systems.

The inclusion of proxy functionality in OwlProxy and SessionManager suggests the threat actors’ intent to leverage the compromised server as a gateway for communication with other systems within the target network.

In conclusion, Unit 42 emphasizes the resilience of Gelsemium, with the threat actors demonstrating adaptability by introducing multiple tools and adjusting their tactics even when some of their backdoors were thwarted by security solutions.