A new breed of malware was discovered targeting Linux systems. Known as HiddenWasp, the malware believed to have been developed by Chinese hackers to remotely infect computers.
The malware was dubbed HiddenWasp comes from two points. One the environment variable used by the rootkit and the trojan to communicate, is called ‘I_AM_HIDDEN”. The second part of the name, ‘Wasp’, comes from the idea that the sting of the attack is critical.
“The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.”
This malware is a Trojan encased with a user mode rootkit and a deployment script. Systems that have been already compromised are targeted by the malware. Further, this malware heavily relies on targeted remote control.
According to Nacho Sanmillan, a security researcher at Intezar, the path of the malware links to a Chinese forensics firm, Shen Zhou Wang Yun Information Technology Co; Ltd. Additionally, the servers hosting the malware are located in a Hong Kong based company, ThinkDream.
Sanmillan called this malware unique because unlike other Linux malware strains this is built with evasion techniques. HiddenWasp uses a rootkit to hide the Trojan.
Sanmillan stated in their blog,
“We have discovered further undetected Linux malware that appear to be enforcing advanced evasion techniques with the use of rootkits to leverage Trojan-based implants.”
The script contains the credentials of a user named ‘sftp’, this name was created for initial persistence into the compromised system. When the script is run, it cleans the computer, thus updating all older variants of malware. Next, the script downloads a tar archive which holds the malware, rootkit, Trojan, and the initial deployment script. Once loaded, Trojan is executed. Finally, the script installs a reboot persistence for the Trojan binary.
Additionally, HiddenWasp contains code belonging to other Linux malware, such as the open source rootkit Azazel and ChinaZ malware.
At this time the malware is still active and most anti-virus systems have a zero-detection rate. To check if your system was infected by the malware it is suggested that,
“you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.”
Contact LIFARS immediately if your systems were compromised