HiddenWasp Linux Malware identified
A new strain of malware targeting Linux systems has been identified by researchers. HiddenWasp, is believed to be used as part of a second-stage attack against already compromised systems and is composed of a rootkit, trojan and deployment script. The ratio of Linux threats has increased significantly over the years. However, the majority of Linux malware is either tied to IoT, DDoS bots or cryptominers. What's unique about HiddenWasp is some of the evasion techniques used in the malware and that it contains rootkit used to hide the main trojan implant. Rootkits are not artifacts commonly seen deploy along simple Linux malware.
Nacho Sanmillan, a security researcher at Intezer Labs, said that he believes HiddenWasp is being used in targeted attacks. The malware is being used in targeted attacks because there is no clear return on investment when it comes to deploying such implants in contrast with other Linux malware types such as coinminers or DDoS bots. The only purpose of this malware is to remotely control a given set of systems, probably known before hand.
The malware was found by Sanmillan as undetected files on VirusTotal in April 2019. The files were originally uploaded by a Chinese based forensic company Shen Zhou Wang Yun Information Technology Co. with timestamps dating back to November 2018. The role of the company is not clear. But the threat was completely undetected until it was reported by Sammillan. There are some similarities between this malware and other Chinese malware families, however the attribution is made with low confidence.
The malware is still active and has a zero detection rate in all major anti-virus systems. The analysis of the code revealed malware authors borrowed some code from open-source malware variants of Mirai and the Azazel rootkit. The malware also shared similarities with the recent Winnti Linux variants reported by researchers at Chronicle. Researchers said that despite borrowing code and heuristics from other malware samples, HiddenWasp has managed to go undetected by Linux-based security software.
Researchers call the malware HiddenWasp for two reasons. One, for the way the rootkit and the trojan communicate with each other, using an environmental variable called I_AM_HIDDEN. This is used to serialize the trojan's session for the rootkit to apply evasion mechanisms on any other sessions. Wasp refers to the sting of the attack. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.
Researchers recommend blocking known command-and-control IP addresses. In addition, to check if your system is infected, you can search for “d.so files and check if any of the files do not contain the string /etc/ld.so.preload. If it doesn't, your system may be compromised because the trojan will attempt to patch instances of ld.so to enforce the LD_PRELOAD mechanism from arbitrary locations.