HiddenWasp Malware Targets Linux Systems, Borrows Code from Mirai, Winnti

Security researchers uncovered a new malware targeting Linux systems. Called HiddenWasp, the researchers believe that the malware is being used as a second-stage targeted attack on systems that have already been compromised.

HiddenWasp is unlike other recent Linux threats that focus on infecting internet-of-things (IoT) devices for use as part of a distributed-denial-of-service (DDoS) botnet, or deploying cryptocurrency-mining malware. According to Intezer’s Ignacio Sanmillan, HiddenWasp is designed for remotely controlling already-compromised systems. Its rootkit capabilities enable the malware to avoid detection.

[Trend Micro Research: Technical Analysis of the Erebus Linux Ransomware]

Comprising a deployment script, rootkit, and trojan, HiddenWasp is also notable in that a lot of its code, and how they’re implemented, appeared to be reminiscent of or borrowed from different open-source malware. For instance, HiddenWasp’s rootkit component likely used, ported, and modified some code from Mirai and the Azazel rootkit project. Sanmillan also noted that HiddenWasp’s structure bears resemblance to Linux versions of the Winnti malware.

Once HiddenWasp is successfully deployed on the compromised system, attackers can carry out various operations, which include:

  • Retrieving system and file information and listing files stored in the system
  • Copying, uploading, downloading, moving, and deleting files
  • Executing files or scripts and running commands

[READ: Bashlite IoT Malware Updated with Mining and Backdoor Commands, Targets WeMo Devices]

HiddenWasp’s mix of capabilities aren’t new. Last year, for instance, Trend Micro researchers uncovered a Monero-mining malware that came bundled with a rootkit in order to hide its cryptocurrency mining routine. More recently, Trend Micro researchers saw in-the-wild attacks targeting Linux-run systems installed with vulnerable Confluence collaboration software. The malware also came with a rootkit to evade detection.

HiddenWasp demonstrate the constant evolution of Linux threats. Compared to previous Linux threats that were designed mainly to execute single or specific routines, such as unauthorized cryptocurrency mining or encryption, many of today’s Linux threats are combining or embedding other payloads.

[READ: Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners]

Linux malware poses considerable security risks. Many enterprises use Unix- and Unix-like operating systems like Linux to run their mainframes, servers, system administration workstations, web development platforms, and even mobile applications. Enterprises can strengthen their defenses against Linux threats with these best practices:

  • Ensuring that repositories are verified, and disabling outdated or unnecessary components, extensions, and services
  • Enforcing the principle of least privilege
  • Patching and updating systems (or employing virtual patching)
  • Proactively monitoring and inspecting the network for anomalous system modifications or intrusions
  • Employing additional security mechanisms. IP filtering, for instance can be used to prevent unauthorized IP addresses from connecting to systems, such as those used by HiddenWasp for command-and-control communication. Sanmillan also provided a YARA rule that can help in detecting HiddenWasp, as well as a workaround to check if the system has been compromised.

Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and messages as well as blocking all related malicious URLs.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.