1. Home
  2. Software
  3. Gelsemium

Gelsemium

Gelsemium is a modular malware comprised of dropper (Gelsemine), loader (Gelsenicine), and main (Gelsevirine) plug ins that has been used by the Gelsemium group since at least 2014.[1]

ID: S0666
Associated Software: Gelsevirine, Gelsenicine, Gelsemine
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 30 November 2021
Last Modified: 01 December 2021

Associated Software Descriptions

Name Description
Gelsevirine

[1]
Gelsenicine

[1]
Gelsemine

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Gelsemium can bypass UAC to elevate process privileges on a compromised host.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Gelsemium can use HTTP/S in C2 communications.[1]
Enterprise T1560 .002 Archive Collected Data: Archive via Library

Gelsemium can compress embedded executables with the zlib library.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gelsemium can set persistence with a Registry run key.[1]
.012 Boot or Logon Autostart Execution: Print Processors

Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Gelsemium can decompress and decrypt DLLs and shellcode.[1]
Enterprise T1083 File and Directory Discovery

Gelsemium can retrieve specific Windows directories.[1]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Gelsemium can delete its dropper component from the targeted system.[1]
.006 Indicator Removal on Host: Timestomp

Gelsemium has the ability to perform timestomping on targeted systems.[1]
Enterprise T1105 Ingress Tool Transfer

Gelsemium can download additional plug-ins to a compromised host.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Gelsemium can set its persistence in the Registry with the key value Chrome Update to appear legitimate.[1]
Enterprise T1112 Modify Registry

Gelsemium has the ability to store its components in the Registry.[1]
Enterprise T1095 Non-Application Layer Protocol

Gelsemium has the ability to use TCP and UDP in C2 communications.[1]
Enterprise T1027 Obfuscated Files or Information

Gelsemium has the ability to compress its components.[1]
.001 Binary Padding

Gelsemium can use junk code to hide functions and evade detection.[1]
Enterprise T1057 Process Discovery

Gelsemium can enumerate running processes.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Gelsemium has the ability to inject DLLs into specific processes.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Gelsemium can check for the presence of specific security products.[1]
Enterprise T1082 System Information Discovery

Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.[1]
Enterprise T1033 System Owner/User Discovery

Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[1]

Groups That Use This Software

ID Name References
G0141 Gelsemium

[1]

References

  1. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.