A new strain of malware targeting Linux systems has been identified by researchers. The malware, dubbed HiddenWasp, is believed to be used as part of a second-stage attack against already-compromised systems and is composed of a rootkit, trojan and deployment script.
“The ratio of Linux threats has increased significantly over the years” said Nacho Sanmillan, a security researcher at Intezer Labs who analyzed the malware. “However, the majority of [Linux] malware is either tied to IoT, DDoS bots or cryptominers.”
Sanmillan said what’s unique about HiddenWasp is some of the evasion techniques implemented in the malware and that it contains rootkit used to hide the main trojan implant. “Rootkits are not artifacts commonly seen deploy along simple Linux malware.”
The researcher told Threatpost that he believes HiddenWasp is being used in targeted attacks. “The main reason we think the malware is used in targeted attacks is because there is no clear return on investment when it comes to deploying such implants in contrast with other Linux malware types such as coinminers or DDoS bots The only purpose of this malware is to remotely control a given set of systems – probably known before hand,” he said.
The malware was found by Sanmillan as undetected files on VirusTotal in April 2019. The files were originally uploaded by a China-based forensic company Shen Zhou Wang Yun Information Technology Co. with timestamps dating back to November 2018.
“The role of this company is not clear. But the threat was completely undetected until we reported it,” Sanmillan told Threatpost. “There are some similarities between this malware and other Chinese malware families, however the attribution is made with low confidence,” said the researcher.
According to the researcher’s blog post analyzing the malware, posted Thursday, the malware is still active and has a “zero-detection rate in all major anti-virus systems.”
The analysis of the code revealed malware authors borrowed some code from open-source malware variants of Mirai and the Azazel rootkit. However, the majority of the code was unique. The malware also shared similarities with the recent Winnti Linux variants reported by researchers at Chronicle.
Researchers said that despite borrowing code and heuristics from other malware samples, impressively HiddenWasp has managed to go undetected by VirtusTotal and Linux-based security software.
Researcher dubbed the malware HiddenWasp for two reasons. One, for the way the rootkit and the trojan communicate with each other – using an environmental variable called “I_AM_HIDDEN”. This is used to “serialize the trojan’s session for the rootkit to apply evasion mechanisms on any other sessions.”
The “Wasp” moniker refers to the sting of the attack.
“The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats,” Sanmillan wrote.
Mitigation against HiddenWasp, researchers recommend, includes simply blocking the command-and-control IP addresses detailed in the indicators of compromise (IOC) of the Intezer report. Researchers have also provided a YARA rule intended to be run against in-memory artifacts in order to be able to detect these implants.
“In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations,” Sanmillan said.