Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Sophisticated HiddenWasp Malware Targets Linux

A recently uncovered piece of sophisticated malware targeting Linux provides attackers with remote control of the infected systems, Intezer’s security researchers have discovered. 

A recently uncovered piece of sophisticated malware targeting Linux provides attackers with remote control of the infected systems, Intezer’s security researchers have discovered. 

Called HiddenWasp, the threat is active and enjoys zero-detection rate in all major anti-virus systems, the researchers say. The threat appears to be used in targeted attacks on victims who went through heavy reconnaissance or are already compromised by the attackers. 

While most of HiddenWasp’s code is unique, Intezer noticed that the malware authors used chunks of code from publicly available repositories, including the Mirai botnet and the Azazel rootkit, and that the threat shows similarities with Chinese malware families. 

Just as the Winnti Linux variants that Chronicle detailed recently, the malware is composed of a user-mode rootkit, a Trojan, and an initial deployment script. 

The script, which appears to have been built for testing purposes, is used to achieve persistence by defining a new user on the system and to update older variants if the system was already compromised. Next, the script downloads an archive that contains the rootkit, the Trojan, and the initial deployment script. 

After malware components have been installed, the Trojan is executed and the rootkit is added to the LD_PRELOAD mechanism. Moreover, various environment variables are set and the script attempts to make the Trojan persistent by adding it to /etc/rc.local.

The analysis revealed that some of the environment variables in the malware are taken from open-source rootkit Azazel. HiddenWasp’s rootkit also revealed the use of an algorithm similar to one used in the past by Mirai, suggesting that code from this malware was used as well. 

The rootkit was mainly designed to implement artifact hiding mechanisms and a hidden TCP connection. 

The Trojan shows code connections with ChinaZ’s Elknot implant and other ChinaZ malware, suggesting that the HiddenWasp author might have used implementations shared on Chinese hacking forums, Intezer notes. 

When executed, the Trojan retrieves its configuration, decodes it, and then attempts to change the default location of the dynamic linker’s LD_PRELOAD path. Next, it deploys a thread to enforce the rootkit’s installation using the new LD_PRELOAD path, and also hides its session. 

The security researchers also discovered some artifacts that belong to Chinese open-source rootkit for Linux Adore-ng and suggest that the HiddenWasp targeted systems might have been previously compromised with some variant of this open-source rootkit. 

“This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign,” Intezer notes. 

Related: Researchers Analyze the Linux Variant of Winnti Malware

Related: Linux Miner Removes Competing Malware From Infected Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...