Skip to content

S0666 Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.1

Item Value
ID S0666
Associated Names Gelsevirine, Gelsenicine, Gelsemine
Version 1.1
Created 30 November 2021
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Gelsevirine 1
Gelsenicine 1
Gelsemine 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Gelsemium can bypass UAC to elevate process privileges on a compromised host.1
enterprise T1134 Access Token Manipulation Gelsemium can use token manipulation to bypass UAC on Windows7 systems.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Gelsemium can use HTTP/S in C2 communications.1
enterprise T1071.004 DNS Gelsemium has the ability to use DNS in communication with C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Gelsemium can set persistence with a Registry run key.1
enterprise T1547.012 Print Processors Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Gelsemium can use a batch script to delete itself.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.1
enterprise T1005 Data from Local System Gelsemium can collect data from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information Gelsemium can decompress and decrypt DLLs and shellcode.1
enterprise T1568 Dynamic Resolution Gelsemium can use dynamic DNS domain names in C2.1
enterprise T1008 Fallback Channels Gelsemium can use multiple domains and protocols in C2.1
enterprise T1083 File and Directory Discovery Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Gelsemium can delete its dropper component from the targeted system.1
enterprise T1070.006 Timestomp Gelsemium has the ability to perform timestomping of files on targeted systems.1
enterprise T1105 Ingress Tool Transfer Gelsemium can download additional plug-ins to a compromised host.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model Gelsemium can use the IARPUinstallerStringLauncher COM interface are part of its UAC bypass process.1
enterprise T1036 Masquerading -
enterprise T1036.001 Invalid Code Signature Gelsemium has used unverified signatures on malicious DLLs.1
enterprise T1036.005 Match Legitimate Name or Location Gelsemium has named malicious binaries serv.exe, winprint.dll, and chrome_elf.dll and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.1
enterprise T1112 Modify Registry Gelsemium can modify the Registry to store its components.1
enterprise T1106 Native API Gelsemium has the ability to use various Windows API functions to perform tasks.1
enterprise T1095 Non-Application Layer Protocol Gelsemium has the ability to use TCP and UDP in C2 communications.1
enterprise T1027 Obfuscated Files or Information Gelsemium has the ability to compress its components.1
enterprise T1027.001 Binary Padding Gelsemium can use junk code to hide functions and evade detection.1
enterprise T1027.011 Fileless Storage Gelsemium can store its components in the Registry.1
enterprise T1057 Process Discovery Gelsemium can enumerate running processes.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Gelsemium has the ability to inject DLLs into specific processes.1
enterprise T1012 Query Registry Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.1
enterprise T1620 Reflective Code Loading Gelsemium can use custom shellcode to map embedded DLLs into memory.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Gelsemium can check for the presence of specific security products.1
enterprise T1082 System Information Discovery Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.1
enterprise T1033 System Owner/User Discovery Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.1
enterprise T1497 Virtualization/Sandbox Evasion Gelsemium can use junk code to generate random activity to obscure malware behavior.1