Gelsemium: Uncovering the Covert APT Targeting Southeast Asian Government

Cyberwarfare APT Gelsemium Targets Southeast Asian Government

Cybersecurity firm Palo Alto Networks has revealed that a stealthy advanced persistent threat (APT) known as Gelsemium has been targeting a government entity in Southeast Asia. The attacks, which spanned over a six-month period in late 2022 and into 2023, involved the deployment of web shells, backdoors, a Cobalt Strike beacon, and other tools to establish persistence and collect intelligence.

Palo Alto Networks has not made any definitive claims regarding attribution, but others have previously linked Gelsemium to China. The APT group was observed using three web shells – reGeorg, China Chopper, and AspxSpy – which were used for lateral movement and malware delivery. In addition to the web shells, the attackers also deployed a shell-like tool, several privilege escalation tools, and a variety of malware including OwlProxy, SessionManager, Cobalt Strike beacon, SpoolFool, and EarthWorm.

Web Shell Deployments and Malware Persistence

The three web shells used by Gelsemium – reGeorg, China Chopper, and AspxSpy – are publicly available tools that allow attackers to support lateral movement and facilitate the delivery of malware. The attackers also used a shell-like tool to run additional commands and several privilege escalation tools for further access to the compromised environment.

To ensure persistence in the compromised environment, Gelsemium deployed malware such as OwlProxy, SessionManager, a Cobalt Strike beacon, SpoolFool, and EarthWorm. SessionManager, a custom backdoor for Internet Information Services (IIS), allows attackers to run commands, download and upload files, and use the web server as a proxy based on commands received via inbound HTTP requests. The attackers attempted to deploy SessionManager on the victims’ network but were unsuccessful.

OwlProxy, EarthWorm, and Privilege Escalation

OwlProxy, another custom tool used by Gelsemium, is an HTTP proxy with backdoor functionality. After its deployment was blocked, the attackers attempted to use EarthWorm, a publicly available SOCKS tunneler used by various Chinese threat actors in malicious attacks. EarthWorm was deployed to create a tunnel between the attackers’ command-and-control (C&C) server and the local area network.

For privilege escalation, Gelsemium used the Potato Suite, which includes tools like JuicyPotato, BadPotato, and SweetPotato, as well as SpoolFool, a publicly available proof-of-concept exploit targeting CVE-2022-21999, a Windows Print Spooler bug. The combination of malware used in these attacks, including SessionManager and OwlProxy, suggests that the observed activity can be attributed to the Gelsemium APT group.

The Gelsemium APT: Targeting East Asia and the Middle East

The Gelsemium APT group has been active since at least 2014 and is known for targeting a range of organizations, including education, government, electronics manufacturers, and religious organizations primarily in East Asia and the Middle East. The recent observation of Gelsemium targeting a government entity in Southeast Asia expands the group’s geographic reach.

Analysis and Implications

The targeting of a government entity by the Gelsemium APT highlights the continued threat of cyberespionage and the sophistication of advanced persistent threats. The use of web shells, backdoors, and other tools demonstrates the attackers’ ability to maintain persistence within compromised environments for extended periods.

The variety of malware deployed by Gelsemium, including SessionManager, OwlProxy, and EarthWorm, suggests that the APT group employs multiple techniques to achieve its objectives. The use of custom tools and publicly available exploits allows the attackers to adapt their tactics based on the target environment and the effectiveness of certain tools.

The Dangers of Cyberwarfare

The Gelsemium APT‘s activity serves as a reminder of the ongoing threat posed by cyberwarfare. Nation-states and other threat actors can exploit vulnerabilities in government infrastructure for intelligence collection, espionage, or disruption of critical services. The increasing sophistication of these actors necessitates constant vigilance and investment in robust cybersecurity measures to mitigate the risk of cyber attacks.

Addressing Cybersecurity Challenges

To effectively defend against APTs like Gelsemium, governments and organizations must prioritize cybersecurity measures. This includes implementing multi-layered defense systems, conducting regular security assessments, patching vulnerabilities promptly, and training employees on best practices for internet and email security.

Collaboration between governments, cybersecurity firms, and international organizations is also essential in sharing threat intelligence, developing comprehensive incident response plans, and coordinating efforts to combat cyber threats. Furthermore, investment in research and development for advanced detection and mitigation technologies is crucial to stay one step ahead of cyber adversaries.

Conclusion

The Gelsemium APT‘s targeting of a government entity in Southeast Asia underscores the ongoing threat posed by cyberwarfare and the need for robust cybersecurity measures. As nation-states and other threat actors continue to evolve their tactics, it is imperative that governments and organizations remain vigilant and invest in comprehensive cybersecurity strategies to protect sensitive data and critical infrastructure.