A sophisticated new variant of the FireWood backdoor has emerged, targeting Linux systems with enhanced evasion capabilities and streamlined command execution functionality.
This latest iteration represents a significant evolution of the malware family first discovered by ESET’s research team, which has been linked to the long-running “Project Wood” malware lineage dating back to at least 2005.
The FireWood backdoor operates as a remote access trojan (RAT) specifically designed for Linux environments, employing kernel-level rootkit modules and TEA-based encryption to maintain stealth and establish persistent command-and-control communications.
Once deployed, typically through web shells planted on compromised Linux desktops, the malware enables attackers to execute arbitrary commands, harvest sensitive system information and credentials, and conduct prolonged espionage operations while remaining largely undetected.
Intezer researchers identified this new variant with the SHA256 hash 898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6, noting significant architectural changes from previous versions.
The malware maintains low confidence connections to the China-aligned Gelsemium APT group, though these overlaps may reflect shared toolsets across multiple threat actors rather than definitive attribution.
The updated variant demonstrates notable modifications in its initialization and networking protocols.
Unlike earlier versions that implemented explicit permission gates through CUser::IsSuc() calls, the new iteration removes this early check entirely, instead deferring root-or-kernel validation until after daemonization and PID storage.
This architectural shift splits the former SavePidAndCheckKernel() function into discrete components: an initial SavePid(pid) operation followed by CModuleControl::AutoLoad() and CheckLkmLoad() functions.
Enhanced Communication Protocol and System Reconnaissance
The malware’s networking implementation represents a significant departure from its predecessor’s complex timing mechanisms.
New evasion implementation and comparison of main functions (Source – Intezer)
While older variants employed sophisticated randomized time-window algorithms with configurable beacon intervals and delay parameters, the new version adopts a simplified approach using a continuous while (true) loop structure.
After the configured startup delay, the malware persistently attempts C2 connections through ConnectToSvr() calls, implementing brief sleep intervals upon failure until successful connection establishment or timer expiration.
For system reconnaissance, the updated variant enhances OS detection capabilities by implementing a fallback mechanism.
When the primary /etc/issue file proves unavailable, the malware automatically attempts to read distribution information from /etc/issue.net, maintaining consistent parsing methodologies across both sources.
This redundancy ensures reliable system fingerprinting regardless of target configuration variations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
