Over the past six months between 2022 and 2023, a constant advanced threat (APT), known as Gelsemium, has actively attacked governments in Southeast Asia.
Gelsemium has been active since 2014, targeting state institutions, educational institutions, and manufacturers of electronics in East Asia and the Middle East. In a 2021 report by ESET, experts described the group as “quiet” and highlighted its deep technical competencies, allowing it to operate covertly for an extended period of time.
According to a report by the Unit42 research group at Palo Alto Networks, Gelsemium recently launched a new campaign involving unique backdoors.
Gelsemium utilized web-slits to penetrate the targeted systems, potentially exploiting vulnerabilities in servers accessible from the internet. The analysis revealed the use of “regeorg,” “China Chopper,” and “ASPXSPY” among the web-slips employed. These tools are publicly available and can be used by various attacker groups, making it challenging to attribute their actions.
Using the web-slits, Gelsemium conducted initial reconnaissance on the targeted network and then moved laterally using SMB. The group also uploaded additional modules such as OWLPROXY, SESSIONMANAGER, COBALTStrike, Spoolfool, and Earthworm.
While COBALTStrike, EarthWorm, and Spoolfool are publicly available and well-known tools, OWLPROXY is relatively unique. It was previously used as an HTTP proxy and backdoor in attacks targeting the Taiwan government.