Since mid-2020, ESET Research has been analysing multiple campaigns, later attributed to the Gelsemium cyberespionage group, and has tracked down the earliest version of their main malware, Gelsevirine, to 2014.
During the investigation, ESET researchers found a new version of Gelsevirine. Victims of its campaigns are located in the Middle East as well as East Asia and include governments, religious organisations, electronics manufacturers and universities. At present, the group has managed to remain mostly under the radar. This research was exclusively previewed at the recent annual ESET World conference.
Gelsemium is very targeted and considering its capabilities, this points to the conclusion that the group is involved in cyberespionage.
“Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand,” explains ESET researcher Thomas Dupuy, co-author of the Gelsemium research analysis.
Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information: the dropper Gelsemine, the loader Gelsenicine and the main plugin Gelsevirine.
ESET researchers believe that Gelsemium is behind the supply-chain attack against BigNox that was previously reported as Operation NightScout. This was a supply-chain attack that compromised the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range, with over 150 million users worldwide. The investigation uncovered some overlap between this supply-chain attack and the Gelsemium group. Victims originally compromised by that supply-chain attack were later being compromised by Gelsemine. Among the different variants examined, “variant 2” from the article shows similarities with Gelsemium malware.