Results unveiled this week by ESET Research have shed light on a previously secretive cyber-espionage group targeting select entities throughout East Asia and the Middle East.
For the past year, ESET Research has studied multiple attacks it now attributes to the group Gelsemium and has traced the earliest known version of their main malware Gelsevirine. Recent efforts have revealed a new version of Gelsevirine that has targeted governments, religious groups, universities, and electronics manufacturers.
Because there have only been a few victims, ESET believes the group is engaging in cyberespionage.
“Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand,” said ESET Canada researcher Thomas Dupuy, co-author of the Gelsemium research analysis.
Gelsemium contains Gelsemine which is a dropper that launches the malware during installation. Gelsenicine then loads it before the main plugin Gelsevirine takes over.
At its conference earlier this week ESET said it believes Gelsemium is behind a supply chain attack reported as Operation NightScout. It compromised NoxPlayer’s update mechanism , which is an Android emulator for PCs and Macs. That gave the group access to more than 150 million users around the world.
ESET’s investigation revealed ties between Operation NightScout and Gelsemine including the fact victims of the original attack were later hit by Gelsemine. There are strong similarities between both sets of software.
Register at Binance