Source: Cyware | By Ryan Stewart
• This new malware is reported to have a zero-detection rate in all antivirus software.
• HiddenWasp is primarily used by threat actors to remotely control compromised Linux systems.
Security researchers from Intezer Labs have uncovered a new malware targeting the Linux ecosystem. Dubbed as ‘HiddenWasp’, creators of this malware deployed it to remotely control infected Linux systems. The malware is also developed from major parts of code used in Mirai and Azazel rootkit. Shockingly, HiddenWasp has a zero-detection rate in all antivirus software under Linux.
The big picture
• In a blog published yesterday, security researcher Ignacio Sanmillan of Intezer Labs detailed a technical analysis made by the team. It was found that HiddenWasp’s infrastructure comprised of a user-mode rootkit, a trojan, and an initial deployment script.
• HiddenWasp had a similar structure to Linux variants of Winnti, another malware that resurfaced a few days ago. Winnti is used by Chinese state-sponsored hackers.
• The researchers found specific files associated with HiddenWasp on VirusTotal. One of the files contained a bash script that deploys the malware. This script once executed downloads a tar compressed archive. It contains the three components that make-up HiddenWasp.
• The user-mode rootkit employed most of the code used in Azazel rootkit, as well as a similar algorithm connected with Mirai botnet.
• The trojan in HiddenWasp emerged in the form of statically linked ELF binary connected with stdlibc++. It also shared some code with Elknot malware, which is known to perform DDoS attacks on Linux systems.
The blog also suggested that better security measures should be allocated for Linux malware since HiddenWasp was undetected in antivirus solutions.
“Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake-up call for the security industry to allocate greater efforts or resources to detect these threats,” Sanmillan wrote.