A recently uncovered piece of sophisticated malware targeting Linux provides attackers with remote control of the infected systems, Intezer’s security researchers have discovered.
Called HiddenWasp, the threat is active and enjoys zero-detection rate in all major anti-virus systems, the researchers say. The threat appears to be used in targeted attacks on victims who went through heavy reconnaissance or are already compromised by the attackers.
While most of HiddenWasp’s code is unique, Intezer noticed that the malware authors used chunks of code from publicly available repositories, including the Mirai botnet and the Azazel rootkit, and that the threat shows similarities with Chinese malware families.
Just as the Winnti Linux variants that Chronicle detailed recently, the malware is composed of a user-mode rootkit, a Trojan, and an initial deployment script.
The script, which appears to have been built for testing purposes, is used to achieve persistence by defining a new user on the system and to update older variants if the system was already compromised. Next, the script downloads an archive that contains the rootkit, the Trojan, and the initial deployment script.
After malware components have been installed, the Trojan is executed and the rootkit is added to the LD_PRELOAD mechanism. Moreover, various environment variables are set and the script attempts to make the Trojan persistent by adding it to /etc/rc.local.
The analysis revealed that some of the environment variables in the malware are taken from open-source rootkit Azazel. HiddenWasp’s rootkit also revealed the use of an algorithm similar to one used in the past by Mirai, suggesting that code from this malware was used as well.
The rootkit was mainly designed to implement artifact hiding mechanisms and a hidden TCP connection.
The Trojan shows code connections with ChinaZ’s Elknot implant and other ChinaZ malware, suggesting that the HiddenWasp author might have used implementations shared on Chinese hacking forums, Intezer notes.
When executed, the Trojan retrieves its configuration, decodes it, and then attempts to change the default location of the dynamic linker’s LD_PRELOAD path. Next, it deploys a thread to enforce the rootkit’s installation using the new LD_PRELOAD path, and also hides its session.
The security researchers also discovered some artifacts that belong to Chinese open-source rootkit for Linux Adore-ng and suggest that the HiddenWasp targeted systems might have been previously compromised with some variant of this open-source rootkit.
“This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign,” Intezer notes.
Related: Researchers Analyze the Linux Variant of Winnti Malware
Related: Linux Miner Removes Competing Malware From Infected Systems