Pierluigi Paganini May 31, 2019

Security experts at Intezer have discovered a new Linux malware tracked as ‘HiddenWasp’ that borrows from Mirai, Azazel malicious codes.

HiddenWasp is a new sophisticated Linux malware still undetected by the majority of anti-virus solutions. According to the experts at Intezer, the malware was involved in targeted attacks.  

“Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.” reads the analysis published by Intezer.

“Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.”

Researchers from Intezer said that most of HiddenWasp’s code is unique, anyway the authors borrowed chunks of code publicly available open-source malware, such as Mirai and the Azazel rootkit. 

Like the Linux variant of the Winnti backdoor recently documented by Chronicle, HiddenWasp is composed of a user-mode rootkit, a Trojan, and a script for the initial deployment. 

The script allows the malware to achieve persistence, it creates a new system’s user account and to update older variants if the system was already compromised. Then the script downloads a Tar archive that contains the rootkit, the Trojan, and the initial deployment script. 

“The script will then proceed to download a tar compressed archive from a download server according to the architecture of the compromised system. This tarball will contain all of the components from the malware, containing the rootkit, the trojan and an initial deployment script” continues the experts.

Once installed the malware components, the main Trojan binary will be executed and the rootkit is added to the LD_PRELOAD mechanism. The malicious code also set up various environment variables and the script attempts to gain persistence by adding the trojan to /etc/rc.local.

“It seems that this actor changed the default environment variable from Azazel, that one being HIDE_THIS_SHELL for I_AM_HIDDEN.” continues the experts. “We have based this conclusion on the fact that the environment variable HIDE_THIS_SHELL was not used throughout the rest of the components of the malware and it seems to be residual remains from Azazel original code. “

Researchers also found that the HiddenWasp’s rootkit uses an algorithm similar to the one used by the infamous Mirai.

The rootkit is a user-space based rootkit enforced via LD_PRELOAD mechanism that is delivered in the form of an ET_DYN stripped ELF binary.

Experts linked the Trojan component with ChinaZ’s Elknot malware and other ChinaZ implants, a circumstance that suggests that the author of the HiddenWasp may have integrated some modified versions of the Elknot malware that could have been shared in Chinese hacking forums. 

Some artifacts found by the experts also belong to Chinese open-source rootkit for Linux Adore-ng likely because systems targeted with the HiddenWasp might have been previously compromised with this open-source rootkit. 

“Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.” concludes the report.

“Linux malware will continue to become more complex over time and currently even common threats do not have high detection rates, while more sophisticated threats have even lower visibility.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – HiddenWasp, Linux malware)

[adrotate banner=”5″]

[adrotate banner=”13″]