A stealthy advanced persistent threat (APT) actor known as Gelsemium has been observed targeting a government entity in Southeast Asia to establish persistence and collect intelligence, cybersecurity firm Palo Alto Networks reveals.
As part of the observed activity, spanning over a period of six months in late 2022 and into 2023, the threat actor deployed a variety of web shells to support lateral movement and malware delivery, along with backdoors, a Cobalt Strike beacon, and various other tools.
Palo Alto Networks did not make any claims regarding attribution, but noted that others linked Gelsemium to China in the past.
The cybersecurity firm identified three web shells used in these attacks, namely reGeorg, China Chopper, and AspxSpy (publicly available). In some instances, the threat actor deployed a shell-like tool to run additional commands, and several privilege escalation tools.
At the next step, malware such as OwlProxy, SessionManager, a Cobalt Strike beacon, SpoolFool, and EarthWorm was deployed to ensure persistence in the compromised environment. To check systems’ internet connectivity, the attackers pinged a known Chinese web portal.
SessionManager is a custom backdoor for Internet Information Services (IIS) that allows attackers to run commands, download and upload files, and use the web server as a proxy, based on commands received via inbound HTTP requests.
As part of the observed activity, Gelsemium unsuccessfully attempted to deploy SessionManager on victims’ network, Palo Alto Networks says.
Another custom tool, OwlProxy is an HTTP proxy that also has backdoor functionality, and which was previously used in attacks targeting governments in East Asia and the Middle East.
During the observed attack, after OwProxy’s deployment was blocked, the attackers attempted to use a replacement tool called EarthWorm, a publicly available SOCKS tunneler used by various Chinese threat actors in malicious attacks.
Gelsemium deployed EarthWorm to create a tunnel between their command-and-control (C&C) and the local area network.
For privilege escalation, the attackers used the Potato Suite (which includes the JuicyPotato, BadPotato, and SweetPotato tools), along with SpoolFool, a publicly available proof-of-concept (PoC) exploit targeting CVE-2022-21999 (a Windows Print Spooler bug).
Based on the unique combination of malware used in these attacks, such as SessionManager and OwlProxy, Palo Alto Networks believes that the observed activity can be attributed to the Gelsemium APT group.
Active since at least 2014, the group is known for the targeting of education, government, electronics manufacturers, and religious organizations, mainly in East Asia and the Middle East. The APT was seen targeting South Eastern governments as well.