A new sophisticated, Unique Linux malware dubbed hiddenwasp used in targeted attacks against victim’s who are already under attack or gone through a heavy reconnaissance.

The malware is highly sophisticated and went undetected; the malware is still active and has a zero-detection rate. The malware is still active and has a zero-detection rate. The malware adopted a massive amount of codes from publically available malware such as Mirai and the Azazel rootkit. HiddenWasp is a newly discovered malware strain targeting Linux systems.

Following system are working as threat actors:

  • Local Filesystem Manipulation –The engine can be used to upload all kinds of file to the victim hosts or hijack any user data, including both personal and system information. This is particularly worrying as this can be used to lead to crimes such as financial theft and identity theft.
  • Command Execution –The main engine can automatically launch all kinds of commands including ones with root permissions if such a security bypass is included.
  • Additional Payload Delivery –The made infections can be used to install and launch other malware including ransomware and cryptocurrency miners.
  • Trojan Operations –The HiddenWasp Linux malware can be used to take over control of the affected computers.

How does Hidden Wasp attack Linux machines?

The first step of the HiddenWasp Linux malware involves the running of the initial script for the deployment of malware. The hidden script uses a user named ‘sftp’ with a hardcoded password and cleans the system to eradicate older versions of malware in case the machine was already infected.

Further, it proceeds to download an archive file from the server that contains all the components including the rootkit and the trojan. The script also attempts to add the trojan binary to /etc/rc.local to work even after a reboot.

The rootkit involved in the malware shares lots of similarities with the open source rootkit Azazel. It also shares parts of strings with Chinese malware, Adore-ng rootkit, and Mirai malware. Talking about the capabilities of this stealthy Linux malware, it can run commands on the terminal, execute files, download more scripts, etc.

However, security researchers still don’t know the actual infection vector; they suspect that the malware was spread in systems already controlled by the hackers. So, it could be said that HiddenWasp is being used as a secondary payload.

How to Mitigating these risks

  • Prevention: Block Command and Control IP address detailed in the IOCs section;
  • Response:  YARA rule intended to be run against in-memory artifacts in order to be able to detect these implants.

In addition, in order to check if your system is infected, you can search for “ld.so” files if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.

For any Cyber Security information contact help@theweborion.com