HiddenWasp- A Undetectable Malware Targets Linux System

Linux Malware
Linux Malware

A Security firm Intezer discovered a new, sophisticated malware named “HiddenWasp”, targeting Linux systems.

HiddenWasp malware is composed three dangerous components, such as Rootkit, Trojan and malicious script.

HiddenWasp server hosted in HongKong based company. The command of the Malware is automated.

Following system are working as threat actors.

  • Local Filesystem Manipulation – The engine can be used to upload all kinds of file to the victim hosts or hijack any user data, including both personal and system information. This is particularly worrying as this can be used to lead to crimes such as financial theft and identity theft.
  • Command Execution – The main engine can automatically launch all kinds of commands including ones with root permissions if such a security bypass is included.
  • Additional Payload Delivery – The made infections can be used to install and launch other malware including ransomware and cryptocurrency miners.
  • Trojan Operations –The HiddenWasp Linux malware can be used to take over control of the affected computers.

HiddenWasp Malware is undetectable on VirusTotal platform. See the following image.

Hiddenwasp Undetected
Image by Intezer – VirusTotal

When the researchers have spotted these undetected files in VirusTotal it seemed that among the uploaded artifacts there was a bash script along with a trojan implant binary.

Hiddenwasp Undetected Script
Hiddenwasp Undetected Script- Image by Intezer

• The malware is still active and has a zero-detection rate in all major anti-virus systems.

• Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.

• Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.

• HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit. In addition, there are some similarities between this malware and other Chinese malware families, however the attribution is made with low confidence.

Prevention

In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.

Conclusion

Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Mozilla Thunderbird Fixes Buffer Overflow Vulnerability

Mozilla released new version of Thunderbird 60.7.1 email client for Windows, Linux...
Read More

Leave a Reply