Threat Bulletin: Fire in the Woods – A New Variant of FireWood

SUMMARY :

A new, low-detected variant of the FireWood Linux backdoor has been discovered, showing changes in implementation and configuration while maintaining core functionality. This backdoor, linked to the 'Project Wood' malware lineage, operates as a remote access trojan on Linux systems, using kernel-level rootkit modules and TEA-based encryption for stealth and persistence. The new variant modifies the execution process, alters network communication, and updates file paths. It removes some commands and adds others, including a new 'auto-kill' feature. Samples have been found from Iran and the Philippines, indicating a potentially wide distribution. The backdoor has possible connections to the China-aligned Gelsemium APT group, though this association remains uncertain.

OPENCTI LABELS :

backdoor,rat,linux,kernel rootkit,project wood,firewood,tea encryption


AI COMMENTARY :

1. Threat Bulletin: Fire in the Woods – A New Variant of FireWood This report unveils a new, low-detected variant of the FireWood Linux backdoor emerging from the Project Wood malware lineage. Researchers have observed significant adjustments to its execution process, network communication channels, and file path configurations while the adversary continues to exploit kernel rootkit modules for stealth. The discovery underscores the importance of vigilance in monitoring for both known and modified backdoor behaviors across Linux environments.

2. Evolution of the FireWood Backdoor Since its initial identification, FireWood has operated as a remote access trojan (RAT) tailored for Linux systems. The latest iteration introduces an updated set of functions that replace certain legacy commands with enhanced capabilities. Notably, an “auto-kill” feature has been added to terminate competing processes, reinforcing the backdoor’s persistence. Despite these alterations, the core use of TEA encryption for network obfuscation remains a constant, highlighting the attacker’s reliance on proven techniques for confidentiality and evasion.

3. Technical Anatomy and Kernel Rootkit Integration At the heart of FireWood’s stealth strategy lies a kernel-level rootkit module that intercepts system calls and injects malicious routines directly into the Linux kernel. This approach grants the malware unparalleled control over process listings, file system visibility, and network connections. The combination of a rootkit and backdoor RAT functions enables operators to conduct reconnaissance, deploy additional payloads, and exfiltrate data without raising alarms in conventional security tools.

4. Network Communication and Encryption Mechanisms The variant’s network layer continues to leverage TEA-based encryption to secure command-and-control traffic. Alterations to the communication protocol include modified packet headers and dynamic port selection to evade signature-based detection. By encrypting payloads with TEA and varying its network footprint, the adversary thwarts deep packet inspection and complicates forensic analysis of captured network streams.

5. Geographical Distribution and Possible Attribution Samples of this FireWood variant have been collected from servers in Iran and the Philippines, suggesting a broader distribution across multiple regions. Evidence points to possible ties with the China-aligned Gelsemium APT group, although definitive attribution remains inconclusive. The geographical spread, combined with the sophistication of the kernel rootkit component, raises concerns about resource-backed threat actors refining and redeploying open-source toolkits under new operational branding.

6. Implications for Linux Security and Defensive Measures The emergence of this variant demands a reevaluation of Linux security postures. Monitoring for anomalous kernel module load events, auditing unusual network connections encrypted with TEA, and scanning for unexpected file path changes are critical steps. Organizations should deploy kernel integrity verification tools, enforce strict code-signing policies for loadable modules, and continuously update threat intelligence feeds to detect evolving signatures associated with Project Wood and FireWood campaigns.

7. Conclusion Fire in the Woods represents a revamped chapter in the FireWood backdoor saga, blending enduring TEA encryption and kernel rootkit techniques with new operational features. As adversaries continue to refine their RAT toolsets, defenders must prioritize kernel-level visibility, proactive threat hunting, and rigorous network monitoring. Awareness of this variant’s capabilities and distribution helps shape resilient defenses against the next wave of Linux-focused intrusions.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Bulletin: Fire in the Woods – A New Variant of FireWood