Over the years, Linux systems have been targeted common malware designed to execute distributed denial of service or DDos, and Crypto mining. Intezer has discovered a malware named HiddenWasp which is different from the previously founded malware. This malware purely used for targeted remote control. It has zero detection rates in all major anti-virus systems.
In a report by Igoncio Sanmillan, HiddenWasp employs advance technique to leverage Trojan based payload. It seems that most of its code is based recently discovered linux malware strain Winniti, a Chinese hackers developed hacking tool.
Intezer highlight several similarities in the two- hiddenWrap and Winniti malware. According to it, both share common environmental variables with that used in rootkit Azazei. Further, it states:
“In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from [the] Elknot [malware] that could have been shared in Chinese hacking forums”
HiddenWasp also share the some code use with the Mirai loT malware. It is not that easy for the hackers to copy and paste the code from other malware strains. However, researchers have managed to find an interesting clue that tells that the China is operating this HiddenWasp. Researchers said:
“We observed that [the HiddenWasp] files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd. Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong,”
HiddenWasp is new and not much has known about it yet. The vector is also known but it might be guessed that it is distributed to already compromised machines. If this is the case, the HiddenWasp is probably be the second to be downloaded inside after other tools. This HiddenWasp then interact with local file system and can upload, download and run files. The most dangerous feature of this threat is that, it has ability to remain undetected on the compromised machine. This lead the researchers to conclude that:
“Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake-up call for the security industry to allocate greater efforts or resources to detect these threats.”
HiddenWasp share some similarities with t he Winniti. The latter of linux version is discovered by Chronicle. Both the Linux and Window version threat have far too much in common. According to researchers, the Linux version Winniti handled outbound communications with its command and control server almost the similar way to these of the Window variant. The servers use the mixture of protocols as seen with Windows variant. Only distinguishing feature that the Linux has is its ability for Chinese hackers to initiate connections to infected hosts without C&C servers accessing.
From this, researchers who investing HiddenWrap conclude that:
“The threat actors utilizing this toolset have repeatedly demonstrated their expertise in compromising Windows-based environments. An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemetry blindspot in many enterprises, as is with Penguin Turla and APT28’s Linux XAgent variant.”
Linux malware may introduce new challenges for the security community and is continue to become more complex and currently even the common threats have not high detection rates. What about such high, complex, sophisticated malware? It would have probably be the few detection or zero detection rates.