Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[1]

ID: S0666
Associated Software: Gelsevirine, Gelsenicine, Gelsemine
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 30 November 2021
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
Gelsevirine

[1]

Gelsenicine

[1]

Gelsemine

[1]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Gelsemium can bypass UAC to elevate process privileges on a compromised host.[1]

Enterprise T1134 Access Token Manipulation

Gelsemium can use token manipulation to bypass UAC on Windows7 systems.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Gelsemium can use HTTP/S in C2 communications.[1]

.004 Application Layer Protocol: DNS

Gelsemium has the ability to use DNS in communication with C2.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gelsemium can set persistence with a Registry run key.[1]

.012 Boot or Logon Autostart Execution: Print Processors

Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Gelsemium can use a batch script to delete itself.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.[1]

Enterprise T1005 Data from Local System

Gelsemium can collect data from a compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Gelsemium can decompress and decrypt DLLs and shellcode.[1]

Enterprise T1568 Dynamic Resolution

Gelsemium can use dynamic DNS domain names in C2.[1]

Enterprise T1008 Fallback Channels

Gelsemium can use multiple domains and protocols in C2.[1]

Enterprise T1083 File and Directory Discovery

Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Gelsemium can delete its dropper component from the targeted system.[1]

.006 Indicator Removal: Timestomp

Gelsemium has the ability to perform timestomping of files on targeted systems.[1]

Enterprise T1105 Ingress Tool Transfer

Gelsemium can download additional plug-ins to a compromised host.[1]

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

Gelsemium can use the IARPUinstallerStringLauncher COM interface are part of its UAC bypass process.[1]

Enterprise T1036 .001 Masquerading: Invalid Code Signature

Gelsemium has used unverified signatures on malicious DLLs.[1]

.005 Masquerading: Match Legitimate Name or Location

Gelsemium has named malicious binaries serv.exe, winprint.dll, and chrome_elf.dll and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.[1]

Enterprise T1112 Modify Registry

Gelsemium can modify the Registry to store its components.[1]

Enterprise T1106 Native API

Gelsemium has the ability to use various Windows API functions to perform tasks.[1]

Enterprise T1095 Non-Application Layer Protocol

Gelsemium has the ability to use TCP and UDP in C2 communications.[1]

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Gelsemium can use junk code to hide functions and evade detection.[1]

.011 Obfuscated Files or Information: Fileless Storage

Gelsemium can store its components in the Registry.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Gelsemium has the ability to compress its components.[1]

Enterprise T1057 Process Discovery

Gelsemium can enumerate running processes.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Gelsemium has the ability to inject DLLs into specific processes.[1]

Enterprise T1012 Query Registry

Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.[1]

Enterprise T1620 Reflective Code Loading

Gelsemium can use custom shellcode to map embedded DLLs into memory.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Gelsemium can check for the presence of specific security products.[1]

Enterprise T1082 System Information Discovery

Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.[1]

Enterprise T1033 System Owner/User Discovery

Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

Gelsemium can use junk code to generate random activity to obscure malware behavior.[1]

References