Jump to content
Scot's Newsletter Forums
securitybreach

HiddenWasp Malware Stings Targeted Linux Systems

Recommended Posts

Interesting article

 

Overview

Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems.

The malware is still active and has a zero-detection rate in all major anti-virus systems.

Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.

Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.

HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit. In addition, there are some similarities between this malware and other Chinese malware families, however the attribution is made with low confidence.

We have detailed our recommendations for preventing and responding to this threat.

 

1. Introduction

Although the Linux threat ecosystem is crowded with IoT DDoS botnets and crypto-mining malware, it is not very common to spot trojans or backdoors in the wild.

 

Unlike Windows malware, Linux malware authors do not seem to invest too much effort writing their implants. In an open-source ecosystem there is a high ratio of publicly available code that can be copied and adapted by attackers.

 

In addition, Anti-Virus solutions for Linux tend to not be as resilient as in other platforms. Therefore, threat actors targeting Linux systems are less concerned about implementing excessive evasion techniques since even when reusing extensive amounts of code, threats can relatively manage to stay under the radar.

 

Nevertheless, malware with strong evasion techniques do exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilize strong evasion techniques and can be easily adapted by attackers.

 

We believe this fact is alarming for the security community since many implants today have very low detection rates, making these threats difficult to detect and respond to.

 

We have discovered further undetected Linux malware that appear to be enforcing advanced evasion techniques with the use of rootkits to leverage trojan-based implants.

 

In this blog we will present a technical analysis of each of the different components that this new malware, HiddenWasp, is composed of.

 

We will also highlight interesting code-reuse connections that we have observed to several open-source malware.

 

 

https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

Share this post


Link to post
Share on other sites

Interesting. I did a search for ld.so files in my /etc. I have two: ld.so and ld.so.cache. I could not find an ld.so.preload. Oh, my! I'm not at all sure what this means.

 

From the article:

 

2.3. Prevention and Response

 

In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.

Share this post


Link to post
Share on other sites

That has to be a mistake as I searched seven installations including 4 different distros and none of them had ld.so.preload. Plenty of these but nothing else:

 

/etc/ld.so.cache

/etc/ld.so.conf

/etc/ld.so.conf.d

/etc/ld.so.conf.d/50-lib32-libva1.conf

/etc/ld.so.conf.d/50-libva1.conf

/etc/ld.so.conf.d/fakeroot.conf

/etc/ld.so.conf.d/lib32-glibc.conf

Share this post


Link to post
Share on other sites

I read somewhere today (can't remember where) that some of the more UNIX-like distros may not have the ld.so.preload because they don't function like the mainstream Linuxes. Wish I could find where I read that. :( It's a glibc related thing, I think.

Share this post


Link to post
Share on other sites

OMG. Any remaining hunches as to 'security by obscurity' now endangered.

As if I need any more stress in my life right now...

 

Nice link. Very impressive work. Trouble is, it reads basically as Greek to me.

I doubt there is anything actionable for me here. This is way above my pay

grade...

 

One question that comes up for me is wondering how one would acquire

this nasty in the wild? Would you have to get suckered into clicking an a

spearfishing link? Or do they just sneak this past all your defenses?

Including routers? I hear there is generalized advice to power down reset

all your routers in the mainstream media lately...

 

I am reminded of the classic Charlie Chaplin skit where the waiter holding

a tray laden with food keeps getting knocked over by some guy carrying a

ladder. In the final hilarious scene, in Pavlovian conditioned response to

merely *Seeing* the guy with the ladder, the waiter tosses his tray of

food in the air and throws himself to the floor- before even being struck

by the ladder. So does it feel to me, a mere user. Vulnerable. Naked...

 

And frickin' Mozilla just disabled NoScript and Adblock Plus in my older

copies of FF... Oh joy... I can't get 'em back because I refuse to upgrade

these particular copies of FF because I will lose some extension

functionality I am just not willing to give up... (Session Manager)

 

Clutter

Edited by Cluttermagnet

Share this post


Link to post
Share on other sites

@Clutter - you probably will never get touched by Linux malware as a normal user. The most likely way it could get in is by using an insecure old version of a browser!

Firefox has come a long way since they deprecated the old extensions system. A lot of old extensions have been updated or new extensions have appeared to take over their functions.

Share this post


Link to post
Share on other sites

I've never been a fan of the "security by obscurity" hypothesis. There are a lot of Linux servers out there. What security Linux offers has to be through the difficulty any attacker would have to get root access on your system.

This HiddenWasp stuff appears to infect systems that have already been compromised.

It is scary that AV apps aren't finding it but that'll get fixed.

I still believe that Linux is pretty safe - if you are sensible, don't allow root access to anything you don't understand, get your software from the repository.

Share this post


Link to post
Share on other sites

Pah! I installed Clam AV and ran a scan on my Linux system. Most of the "threats" were Libre Office macros - a couple of Windows tracking cookies.

Clam AV is OK to disinfect emails sent to Windows users I guess. If I really wanted to have effective Linux AV I'd buy ESET. But smart Linux use is still the best security.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...