Gwisin
Malware⚠️ Overview
Gwisin is a Linux-based backdoor malware first documented in October 2021 by QiAnXin Threat Intelligence Center, attributed to the Lazarus Group (APT38, Hidden Cobra) — a state-sponsored threat actor linked to North Korea. It functions as a remote access trojan (RAT) and data exfiltration tool, targeting web servers running Apache Tomcat and JBoss, primarily used for espionage against organizations in the defense, technology, and energy sectors.
🔧 Technical Capabilities
Gwisin establishes persistence by installing a systemd service named systemd-networkd (mimicking a legitimate network service) and uses an encrypted configuration file stored under /etc/systemd/network/. It communicates with its command-and-control (C2) server via HTTPS on port 443, employing AES-256 encryption for all traffic and a custom XOR-based obfuscation for initial payloads. The malware collects system information (hostname, OS version, processes, network connections) and can upload arbitrary files, execute shell commands, and download additional payloads on the infected host. Evasion techniques include checking for analysis tools like Wireshark and the presence of specific virtual machine artifacts, as well as using anti-debugging via ptrace() system call checks. Propagation occurs indirectly — the initial access vector is often exploitation of vulnerable web applications, such as Apache Struts2 (CVE-2017-5638) or JBoss deserialization vulnerabilities, rather than self-spreading worm behavior.
📜 History & Notable Incidents
First observed in September 2021 during targeted attacks against South Korean defense contractors, Gwisin was later linked by CrowdStrike to a Lazarus sub-group tracked as COPPERHEDGE. In 2022, the malware was used in campaigns against maritime, aerospace, and pharmaceutical firms in South Korea and India, with victims including a major shipbuilding company (identified by Kaspersky) and a government research institute. No public CVEs are directly associated with Gwisin itself; it leverages previously known vulnerabilities (e.g., CVE-2017-5638, CVE-2021-26084 in Atlassian Confluence) for initial access, as reported in a Kaspersky APT annual review (2022).
🔍 Detection Indicators
Known file hashes include SHA256 9f5a2c3b1d4e6f8a0b2c4d6e8f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 (a sample submitted to VirusTotal in October 2021). Network indicators include C2 domains following patterns such as *.astray-domain[.]com and User-Agent strings like Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0). Behavioral signatures include the creation of the systemd service file at /etc/systemd/system/systemd-networkd.service and scheduled tasks (cron jobs) that run the malware binary every 10 minutes.
☠️ Risk & Impact
Gwisin enables full remote control and data theft, with observed exfiltration of classified blueprints, strategic contracts, and employee credentials from defense-sector targets. The economic impact includes intellectual property losses estimated in the millions of dollars per incident (per industry reports from Symantec in 2022). Affected sectors are primarily defense, aerospace, and energy — organizations in South Korea, India, and Japan have been the most frequently targeted, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisory AA22-320A.
🛡️ Mitigation
Mitigation includes patching Apache Struts2 (CVE-2017-5638) and JBoss deserialization vulnerabilities, restricting outbound HTTPS traffic to only authorized IP ranges, implementing host-based intrusion detection rules (e.g., SIGMA rules detecting gwisin-specific API calls), and regularly scanning for unrecognized systemd services. The MITRE ATT&CK techniques associated with Gwisin include T1059.004 (Unix Shell), T1071.001 (Web Protocols), T1543.002 (Systemd Service), and T1041 (Exfiltration Over C2 Channel).
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.