Security researchers uncovered a new malware targeting Linux systems. Called HiddenWasp, the researchers believe that the malware is being used as a second-stage targeted attack on systems that have already been compromised.
Comprising a deployment script, rootkit, and trojan, HiddenWasp is also notable in that a lot of its code, and how they’re implemented, appeared to be reminiscent of or borrowed from different open-source malware. For instance, HiddenWasp’s rootkit component likely used, ported, and modified some code from Mirai and the Azazel rootkit project. Sanmillan also noted that HiddenWasp’s structure bears resemblance to Linux versions of the Winnti malware.
Once HiddenWasp is successfully deployed on the compromised system, attackers can carry out various operations, which include:
Retrieving system and file information and listing files stored in the system
Copying, uploading, downloading, moving, and deleting files
HiddenWasp’s mix of capabilities aren’t new. Last year, for instance, Trend Micro researchers uncovered a Monero-mining malware that came bundled with a rootkit in order to hide its cryptocurrency mining routine. More recently, Trend Micro researchers saw in-the-wild attacks targeting Linux-run systems installed with vulnerable Confluence collaboration software. The malware also came with a rootkit to evade detection.
Linux malware poses considerable security risks. Many enterprises use Unix- and Unix-like operating systems like Linux to run their mainframes, servers, system administration workstations, web development platforms, and even mobile applications. Enterprises can strengthen their defenses against Linux threats with these best practices:
Ensuring that repositories are verified, and disabling outdated or unnecessary components, extensions, and services
Proactively monitoring and inspecting the network for anomalous system modifications or intrusions
Employing additional security mechanisms. IP filtering, for instance can be used to prevent unauthorized IP addresses from connecting to systems, such as those used by HiddenWasp for command-and-control communication. Sanmillan also provided a YARA rule that can help in detecting HiddenWasp, as well as a workaround to check if the system has been compromised.