New FireWood malware targeting Linux systems

A sophisticated new variant of the FireWood backdoor has emerged, specifically targeting Linux systems with enhanced evasion capabilities and streamlined command execution functionality. This latest iteration signifies a substantial evolution of the malware family first discovered by ESET’s research team, which has been linked to the long-running “Project Wood” malware lineage dating back to at least 2005. The FireWood backdoor operates as a Remote Access Trojan (RAT) designed for Linux environments, employing kernel-level rootkit modules and TEA-based encryption to maintain stealth and establish persistent command-and-control communications. Once deployed, typically through web shells planted on compromised Linux desktops, the malware enables attackers to execute arbitrary commands, harvest sensitive system information and credentials, and conduct prolonged espionage operations while remaining largely undetected. Intezer researchers identified this new variant with the SHA256 hash 898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6, noting significant architectural changes from previous versions.

The updated variant demonstrates notable modifications in its initialization and networking protocols. Unlike earlier versions that implemented explicit permission gates through CUser::IsSuc() calls, the new iteration removes this early check entirely, deferring root-or-kernel validation until after daemonisation and PID storage. This architectural shift splits the former SavePidAndCheckKernel() function into discrete components: an initial SavePid(pid) operation followed by CModuleControl::AutoLoad() and CheckLkmLoad() functions. The malware’s networking implementation represents a significant departure from its predecessor’s complex timing mechanisms. While older variants employed sophisticated randomised time-window algorithms with configurable beacon intervals and delay parameters, the new version adopts a simplified approach using a continuous while (true) loop structure. After the configured startup delay, the malware persistently attempts C2 connections through ConnectToSvr() calls, implementing brief sleep intervals upon failure until successful connection establishment or timer expiration. For system reconnaissance, the updated variant enhances OS detection capabilities by implementing a fallback mechanism, automatically attempting to read distribution information from /etc/issue.net when the primary /etc/issue file proves unavailable.