Emergence of Gelsemium: A New Player in Supply Chain Cyberattacks
A formidable new cyber espionage group, known as Gelsemium, has recently come under scrutiny following its association with a supply chain attack targeting the NoxPlayer Android emulator. This malicious campaign was initially revealed earlier this year and has raised significant concerns within the cybersecurity community. A detailed investigation indicates that Gelsemium’s operations date back as far as 2014, under the codename “Operation TooHash,” utilizing malware payloads in multiple intrusions.
Victims of these sophisticated attacks span various sectors, predominantly in East Asia and the Middle East, impacting governments, religious entities, electronics manufacturers, and academic institutions. Analysts from cybersecurity firm ESET highlighted the widespread nature of this threat in a report published last week, underscoring the group’s capacity to infiltrate diverse organizations.
At first glance, Gelsemium’s attack methodology may appear uncomplicated. However, a thorough examination reveals that the intricate configurations employed at each stage of the attack obfuscate the final payload, complicating detection efforts. The group’s targeted nations include China, Mongolia, North and South Korea, Japan, Turkey, Iran, Iraq, Saudi Arabia, Syria, and Egypt, illustrating a broad geographical scope.
Since its inception in the mid-2010s, Gelsemium has demonstrated a penchant for leveraging a variety of malware delivery mechanisms. These range from spear-phishing tactics exploiting Microsoft Office vulnerabilities, such as CVE-2012-0158, to more complex strategies like exploiting remote code execution flaws in Microsoft Exchange Server, notably CVE-2020-0688. The group is also known to deploy the China Chopper web shell, a notorious tool among cybercriminals.
ESET’s analysis indicates that Gelsemium’s initial stage involves a C++ dropper named “Gelsemine.” This component deploys a loader known as “Gelsenicine,” which subsequently retrieves the main malware, “Gelsevirine.” This payload is adept at loading additional plugins from a command-and-control (C2) server, enhancing the group’s operational flexibility.
The group has been implicated in a targeted supply chain attack against BigNox’s NoxPlayer in an operation named “Operation NightScout.” This involved compromising the software’s update mechanism to deploy backdoors like Gh0st RAT and PoisonIvy RAT, enabling the theft of sensitive information and keylogging capabilities. ESET researchers noted a concerning similarity between the tampered versions of NoxPlayer and the malware attributed to Gelsemium.
Furthermore, another backdoor called “Chrommme” was discovered on a separate organization’s machines, also compromised by Gelsemium. This backdoor utilized the same C2 infrastructure as Gelsevirine, suggesting that the group may be consolidating its attack vectors within a shared operational framework.
ESET analysts concluded their report by emphasizing the peculiar nature of the Gelsemium biome, characterized by a limited number of victims paired with an extensive array of adaptable components. The innovative plugin system suggests a high level of expertise among the group’s developers, particularly in C++.
For organizations, this evolving threat landscape necessitates heightened vigilance. Understanding tactics from the MITRE ATT&CK Matrix can aid in recognizing potential adversary tactics such as initial access and persistence, key aspects of Gelsemium’s methodology. As these threats evolve, businesses must prioritize robust cybersecurity measures to protect against sophisticated actors like Gelsemium, who are increasingly targeting critical infrastructure across the globe.
