Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Sophisticated HiddenWasp Malware Targets Linux

A recently uncovered piece of sophisticated malware targeting Linux provides attackers with remote control of the infected systems, Intezer’s security researchers have discovered. 

A recently uncovered piece of sophisticated malware targeting Linux provides attackers with remote control of the infected systems, Intezer’s security researchers have discovered. 

Called HiddenWasp, the threat is active and enjoys zero-detection rate in all major anti-virus systems, the researchers say. The threat appears to be used in targeted attacks on victims who went through heavy reconnaissance or are already compromised by the attackers. 

While most of HiddenWasp’s code is unique, Intezer noticed that the malware authors used chunks of code from publicly available repositories, including the Mirai botnet and the Azazel rootkit, and that the threat shows similarities with Chinese malware families. 

Just as the Winnti Linux variants that Chronicle detailed recently, the malware is composed of a user-mode rootkit, a Trojan, and an initial deployment script. 

The script, which appears to have been built for testing purposes, is used to achieve persistence by defining a new user on the system and to update older variants if the system was already compromised. Next, the script downloads an archive that contains the rootkit, the Trojan, and the initial deployment script. 

After malware components have been installed, the Trojan is executed and the rootkit is added to the LD_PRELOAD mechanism. Moreover, various environment variables are set and the script attempts to make the Trojan persistent by adding it to /etc/rc.local.

The analysis revealed that some of the environment variables in the malware are taken from open-source rootkit Azazel. HiddenWasp’s rootkit also revealed the use of an algorithm similar to one used in the past by Mirai, suggesting that code from this malware was used as well. 

The rootkit was mainly designed to implement artifact hiding mechanisms and a hidden TCP connection. 

Advertisement. Scroll to continue reading.

The Trojan shows code connections with ChinaZ’s Elknot implant and other ChinaZ malware, suggesting that the HiddenWasp author might have used implementations shared on Chinese hacking forums, Intezer notes. 

When executed, the Trojan retrieves its configuration, decodes it, and then attempts to change the default location of the dynamic linker’s LD_PRELOAD path. Next, it deploys a thread to enforce the rootkit’s installation using the new LD_PRELOAD path, and also hides its session. 

The security researchers also discovered some artifacts that belong to Chinese open-source rootkit for Linux Adore-ng and suggest that the HiddenWasp targeted systems might have been previously compromised with some variant of this open-source rootkit. 

“This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign,” Intezer notes. 

Related: Researchers Analyze the Linux Variant of Winnti Malware

Related: Linux Miner Removes Competing Malware From Infected Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.