Gelsevirine Malware

The Gelsevirine Malware is a threatening implant, which is a private piece of malware part of the arsenal of the Gelsemium APT. In the past, criminals have been involved in large-scale attacks against various entities in the Middle East and East Asia. They use both public and private malware families to aid them in their operations, but the Gelsevirine Malware appears to be one of their favorites. It has been updated regularly, and the criminals appear to refer to it as MainPlugin in their projects.

But what does the Gelsevirine malware do? The first version of the implant dates back to 2014, and it has received multiple large updates since then. Its primary advantage over most traditional malware is that it has a modular structure, and the operators can extend its functionality whenever they need access to new features. So far, active copies of the Gelsevirine implant have been observed to execute remote commands, as well as to manipulate the file system on the compromised device. Last but not least, the implant uses several advanced tricks to acquire persistence while trying to evade anti-virus software.

The most recent attacks to involve the Gelsevirine and the hackers from the aforementioned APT groups were discovered in January 2021. The criminals managed to execute a supply-chain attack by compromising the network of BigNox, in the operation dubbed Operation NightScout.

While APT groups often have the best malware and hacking tools at their disposal, you can rest assured that the methods you can use to stop them are not that special – using a regularly updated anti-malware application should be enough to keep you safe from both the Gelsevirine and low-level malware threats as well.

June 10, 2021