ESET researchers shed light on new campaigns from the quiet Gelsemium group
In mid-2020, ESET researchers started to analyze multiple campaigns, later attributed to the Gelsemium group, and tracked down the earliest version of the malware going back to 2014. Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities.
Key points in this report:
ESET researchers believe that Gelsemium is behind the supply-chain attack against BigNox that was previously reported as Operation NightScout
ESET researchers found a new version of Gelsemium, complex and modular malware, later referred to as Gelsemine, Gelsenicine and Gelsevirine
New targets were discovered that include governments, universities, electronics manufacturers and religious organizations in East Asia and the Middle East
Gelsemium is a cyberespionage group active since 2014
The geographical distribution of Gelsemium’s targets can be seen in Figure 1.
Figure 1. Targets’ locations
Gelsemium components
Gelsemium’s whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand. Behaviors analyzed below are tied to the configuration; as a result, filenames and paths may be different in other samples. Most of the campaigns we observed follow what we describe here.
Figure 2. Overview of the three components’ workflow
Gelsemine: The dropper
Gelsemium’s first stage is a large dropper written in C++ using the Microsoft Foundation Class libr ..
Support the originator by clicking the read the rest link below.
