HiddenWasp, a dangerous malware that affects Linux systems

Darkcrizt

4 minutes

hiddenwasp-linux-malware

The Intezer Labs Security Researchers Have Discovered New Malware aimed at the Linux ecosystem. Malware called 'HiddenWasp', This is implemented to remotely control infected Linux systems.

Although not uncommon, network security specialists mention that the security risks present in Linux systems are not widely known enough.

And the main characteristic is that these types of security threats do not receive as much dissemination as those that affect Windows systems.

HiddenWasp is a cybersecurity threat that needs to be addressed, since after some analysis, it is concluded that it has a detection rate of 0% in the most used malware detection systems in the world.

Malware too is developed from the main parts of the code used in the Mirai and Azazel rootkit.

When the researchers found that these files are not detected by antiviruses, it appeared that among the uploaded files there was a bash script along with a binary Trojan implant.

Also, antivirus solutions for Linux tend not to be as robust as on other platforms.

Therefore, hackers targeting Linux systems are less concerned about implementing excessive evasion techniques, because even when large amounts of code are reused, threats can relatively remain under the radar.

About Hiddenwasp

Hiddenwasp has quite unique characteristics because the malware is still active and has a detection rate of zero in all major antivirus systems.

Unlike common Linux malware, HiddenWasp is not focused on crypto or DDoS activity. It is a purely targeted remote control Trojan.

Evidence shows a high probability that malware is used in targeted attacks for victims who are already under the attacker's control, or who have gone through high recognition.

The authors of HiddenWasp have adopted a large amount of code from various open source malware available publicly, like Mirai and the Azazel rootkit.

Also, there are some similarities between this malware and other Chinese malware families, however the attribution is done with little confidence.

In the investigation, the experts found that the script relies on the use of a user named 'sftp' with a fairly strong password.

In addition, the script cleans the system to get rid of previous versions of the malware in case an infection had occurred earlier.

Subsequently, a file is downloaded to the compromised machine from the server that contains all the components, including the Trojan and the rootkit.

The script also adds a Trojan binary to the /etc/rc.local location to make it work even after a reboot.

Specialists from the International Institute for Cyber ​​Security (IICS) have found several similarities between the HiddenWasp rootkit and the Azazel malware, as well as sharing some string fragments with the ChinaZ malware and the Mirai botnet.

"Thanks to HiddenWasp, hackers can run Linux terminal commands, run files, download additional scripts and more," added the experts.

Although the investigation yielded some findings, experts still do not know the attack vector used by hackers to infect Linux systems, although one possible way is that attackers have deployed malware from some systems that are already under their control.

"HiddenWasp could be a second stage of another attack," the experts concluded

How to prevent or know if my system is vulnerable?

To check if their system is infected, they can look for "ld.so" files. If any of the files do not contain the string '/etc/ld.so.preload', your system may be compromised.

This is because the Trojan implant will try to patch instances of ld.so to enforce the LD_PRELOAD mechanism from arbitrary locations.

While to prevent we must block the following IP addresses:

103.206.123[.]13
103.206.122[.]245
http://103.206.123[.]13:8080/system.tar.gz
http://103.206.123[.]13:8080/configUpdate.tar.gz
http://103.206.123[.]13:8080/configUpdate-32.tar.gz
e9e2e84ed423bfc8e82eb434cede5c9568ab44e7af410a85e5d5eb24b1e622e3
f321685342fa373c33eb9479176a086a1c56c90a1826a0aef3450809ffc01e5d
d66bbbccd19587e67632585d0ac944e34e4d5fa2b9f3bb3f900f517c7bbf518b
0fe1248ecab199bee383cef69f2de77d33b269ad1664127b366a4e745b1199c8
2ea291aeb0905c31716fe5e39ff111724a3c461e3029830d2bfa77c1b3656fc0
d596acc70426a16760a2b2cc78ca2cc65c5a23bb79316627c0b2e16489bf86c0
609bbf4ccc2cb0fcbe0d5891eea7d97a05a0b29431c468bf3badd83fc4414578
8e3b92e49447a67ed32b3afadbc24c51975ff22acbd0cf8090b078c0a4a7b53d
f38ab11c28e944536e00ca14954df5f4d08c1222811fef49baded5009bbbc9a2
8914fd1cfade5059e626be90f18972ec963bbed75101c7fbf4a88a6da2bc671b

Source: https://www.intezer.com/


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Ernest de la Serna said
    ago 5 years

    Is the sudo password supposed to be known ??? This note is half a falopa

    Reply to Ernesto de la Serna
  2.   Claudio Guendelman said
    ago 5 years

    I don't know if he worked for an antivirus company but a TXT, SH does not come to life alone .. I do not believe anything in this article.

    Reply to Claudio Guendelman