1. Executive Summary
- Intezer’s research team has uncovered a new, stealthy variant of the FireWood backdoor targeting Linux systems, surfacing on August 13–14, 2025.LinkedIn+10Intezer+10Cyber Security News+10
- This RAT leverages kernel-level rootkits and TEA-based encryption to maintain a hidden presence on compromised systems, while executing arbitrary commands and quietly exfiltrating sensitive data.nquiringminds.com+4Intezer+4Cyber Security News+4
- Attribution to the Gelsemium APT group remains low confidence, reflecting code overlaps with historical “Project Wood” malware.gbhackers.com+15Intezer+15welivesecurity.com+15
2. Technical Deep Dive: What’s New in This Variant
- Streamlined Initialization Flow: The new variant removes the early
CUser::IsSuc()permission check and splits the oldSavePidAndCheckKernel()into two discrete stages—SavePid(pid)first, followed by delayedCModuleControl::AutoLoad()andCheckLkmLoad()—increasing stealth and control.Intezer+2Cyber Security News+2 - Lean Command-and-Control (C2): Abandoning phased beaconing and random delays, this variant loops continuously via a
while (true)cycle, invokingConnectToSvr()until successful—a more predictable but reliable C2 approach.Intezer+2Cyber Security News+2 - Enhanced System Fingerprinting: Upon failing to read
/etc/issue, the backdoor now falls back to/etc/issue.net, ensuring consistent OS detection across varied Linux setups.Intezer+1 - New Command Set:
- Dropped: Beacon interval and file-read commands (IDs 0x111, 0x113, 0x114, 0x201)
- Moved process module command from 0x112 → 0x202
- Added:
SetAutoKillEl(ID 0x160) for auto-kill control - Newly identified: Config change command (0x109), remote file execution (0x192), and targeted file exfiltration for
.v2,.k2,.W2,drive.C2extensions (ID 0x195)Intezer+2Cyber Security News+2
3. Historical & Strategic Context
- Project Wood Legacy: The FireWood backdoor connects to the long-standing Project Wood lineage traced back to 2005.broadcom.com+11welivesecurity.com+11Intezer+11
- It was originally discovered by ESET alongside WolfsBane, marking a strategic shift by threat actors toward Linux-based espionage tools as Windows systems became more fortified.Wikipedia+15Help Net Security+15welivesecurity.com+15
- FireWood’s use of kernel-level concealment, TEA encryption, and stolen credentials harvesting underscores its purpose in prolonged stealth operations.broadcom.com+5Cloud Threat Landscape+5Cyber Security News+5
4. Indicators of Compromise (IOCs)
- New variant SHA256:
898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6Intezer+2Cyber Security News+2 - Previous variant SHA256:
d7be3494b3e1722eb28f317f3b85ee68bf7ea5508aa2d5782392619e078b78afIntezer
5. CyberDudeBivash Recommendations
| Step | Best Practice |
|---|---|
| 1⃣ | Enhance Detection: Deploy kernel-level telemetry and anomaly-based monitoring to catch unfamiliar module loads or misbehavior. |
| 2⃣ | Implement Network Segmentation: Isolate critical Linux assets and use strict segmentation to limit lateral movement. |
| 3⃣ | Update & Audit Rigorously: Regularly patch systems and review file integrity and configuration files like /etc/issue and /etc/issue.net. |
| 4⃣ | Harden C2 Blocking & Egress Control: Utilize EDR or firewall rules to flag repetitive outbound connection attempts. |
| 5⃣ | Proactive Threat Hunting: Hunt for rootkits, weird process names (e.g., “kde-tra”), or unexpected periodic activities via SIEM. |
| 6⃣ | Routine IR Drills: Simulate RAT breaches and data exfiltration scenarios to strengthen response playbooks. |
6. Closing Hero Section
Stay ahead of stealth threats with CyberDudeBivash.
We’re your daily shield in the cyber jungle—offering AI-powered threat intelligence, rapid analysis, and up-to-the-minute coverage.
Subscribe to ThreatWire, join our cyber awareness network, and remember: vigilance today protects tomorrow.
#CyberDudeBivash #FireWoodRAT #LinuxSecurity
Cyberdudebivash 
Leave a comment