Some days ago Security researchers have discovered a new variety of Linux malware It appears to have been created by Chinese hackers and has been used as a means to remotely control infected systems.
Called HiddenWasp, This malware consists of a user-mode rootkit, a Trojan, and an initial deployment script.
Unlike other malicious programs that run on Linux, the code and the collected evidence show that the infected computers have already been compromised by these same hackers.
The execution of HiddenWasp would therefore be an advanced stage in the chain of destruction of this threat.
Although the article says that we do not know how many computers were infected or how the above steps were performed, it should be noted that most "Backdoor" type programs are installed by clicking on an object. (link, image or executable file), without the user realizing that it is a threat.
Social engineering, which is a form of attack used by Trojans to trick victims into installing software packages like HiddenWasp on their computers or mobile devices, could be the technique adopted by these attackers to achieve their goals.
In its escape and deterrence strategy, the kit uses a bash script accompanied by a binary file. According to Intezer researchers, the files downloaded from Total Virus have a path that contains the name of a forensic society based in China.
Malware HiddenWasp is made up of three dangerous components, such as Rootkit, Trojan, and a malicious script.
The following systems are working as part of the threat.
- Local file system manipulation: The engine can be used to upload all kinds of files to the victim's hosts or hijack any user information, including personal and system information. This is particularly concerning as it can be used to lead to crimes such as financial theft and identity theft.
- Command execution: the main engine can automatically start all kinds of commands, including those with root permissions, if such a security bypass is included.
- Additional payload delivery: created infections can be used to install and launch other malware, including ransomware and cryptocurrency servers.
- Trojan operations: HiddenWasp Linux malware can be used to take control of affected computers.
In addition, the malware would be hosted on the servers of a physical server hosting company called Think Dream located in Hong Kong.
"Linux malware still unknown to other platforms could create new challenges for the security community," wrote Intezer researcher Ignacio Sanmillan in his article
"The fact that this malicious program manages to stay under the radar should be a red flag for the security industry to dedicate more effort or resources to detect these threats," he said.
Other experts also commented on the matter, Tom Hegel, security researcher at AT&T Alien Labs:
“There are many unknowns, as the pieces of this toolkit have some code / reuse overlaps with various open source tools. However, based on a large pattern of overlap and infrastructure design, in addition to its use in targets, we confidently evaluate the association with Winnti Umbrella.
Tim Erlin, Vice President, Product Management and Strategy at Tripwire:
“HiddenWasp is not unique in its technology, other than targeting Linux. If you are monitoring your Linux systems for critical file changes, or for new files to appear, or for other suspicious changes, the malware is likely identified as HiddenWasp ”
How do I know my system is compromised?
To check if their system is infected, they can look for "ld.so" files. If any of the files do not contain the string '/etc/ld.so.preload', your system may be compromised.
This is because the Trojan implant will try to patch instances of ld.so to enforce the LD_PRELOAD mechanism from arbitrary locations.