Security researchers uncovered a new malware targeting Linux systems. Called HiddenWasp, the researchers believe that the malware is being used as a second-stage targeted attack on systems that have already been compromised.
HiddenWasp is unlike other recent Linux threats that focus on infecting internet-of-things (IoT) devices for use as part of a distributed-denial-of-service (DDoS) botnet, or deploying cryptocurrency-mining malware. According to Intezer’s Ignacio Sanmillan, HiddenWasp is designed for remotely controlling already-compromised systems. Its rootkit capabilities enable the malware to avoid detection.
[Trend Micro Research: Technical Analysis of the Erebus Linux Ransomware]
Comprising a deployment script, rootkit, and trojan, HiddenWasp is also notable in that a lot of its code, and how they’re implemented, appeared to be reminiscent of or borrowed from different open-source malware. For instance, HiddenWasp’s rootkit component likely used, ported, and modified some code from Mirai and the Azazel rootkit project. Sanmillan also noted that HiddenWasp’s structure bears resemblance to Linux versions of the Winnti malware.
Once HiddenWasp is successfully deployed on the compromised system, attackers can carry out various operations, which include:
HiddenWasp’s mix of capabilities aren’t new. Last year, for instance, Trend Micro researchers uncovered a Monero-mining malware that came bundled with a rootkit in order to hide its cryptocurrency mining routine. More recently, Trend Micro researchers saw in-the-wild attacks targeting Linux-run systems installed with vulnerable Confluence collaboration software. The malware also came with a rootkit to evade detection.
HiddenWasp demonstrate the constant evolution of Linux threats. Compared to previous Linux threats that were designed mainly to execute single or specific routines, such as unauthorized cryptocurrency mining or encryption, many of today’s Linux threats are combining or embedding other payloads.
Linux malware poses considerable security risks. Many enterprises use Unix- and Unix-like operating systems like Linux to run their mainframes, servers, system administration workstations, web development platforms, and even mobile applications. Enterprises can strengthen their defenses against Linux threats with these best practices:
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and messages as well as blocking all related malicious URLs.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.