Jump to content


HiddenWasp Malware Stings Targeted Linux Systems


  • Please log in to reply
11 replies to this topic

#1 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 30 May 2019 - 10:05 PM

Interesting article

Quote

Overview
Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems.
The malware is still active and has a zero-detection rate in all major anti-virus systems.
Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.
Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.
HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit. In addition, there are some similarities between this malware and other Chinese malware families, however the attribution is made with low confidence.
We have detailed our recommendations for preventing and responding to this threat.

1. Introduction
Although the Linux threat ecosystem is crowded with IoT DDoS botnets and crypto-mining malware, it is not very common to spot trojans or backdoors in the wild.

Unlike Windows malware, Linux malware authors do not seem to invest too much effort writing their implants. In an open-source ecosystem there is a high ratio of publicly available code that can be copied and adapted by attackers.

In addition, Anti-Virus solutions for Linux tend to not be as resilient as in other platforms. Therefore, threat actors targeting Linux systems are less concerned about implementing excessive evasion techniques since even when reusing extensive amounts of code, threats can relatively manage to stay under the radar.

Nevertheless, malware with strong evasion techniques do exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilize strong evasion techniques and can be easily adapted by attackers.

We believe this fact is alarming for the security community since many implants today have very low detection rates, making these threats difficult to detect and respond to.

We have discovered further undetected Linux malware that appear to be enforcing advanced evasion techniques with the use of rootkits to leverage trojan-based implants.

In this blog we will present a technical analysis of each of the different components that this new malware, HiddenWasp, is composed of.

We will also highlight interesting code-reuse connections that we have observed to several open-source malware.


https://www.intezer....-linux-systems/
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#2 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,741 posts

Posted 31 May 2019 - 11:02 AM

Interesting. I did a search for ld.so files in my /etc. I have two: ld.so and ld.so.cache. I could not find an ld.so.preload. Oh, my! I'm not at all sure what this means.

From the article:

2.3. Prevention and Response

In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.
Posted Image

Posted Image Support Slackware: https://paypal.me/volkerdi

#3 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 31 May 2019 - 06:13 PM

That has to be a mistake as I searched seven installations including 4 different distros and none of them had ld.so.preload. Plenty of these but nothing else:

Quote

/etc/ld.so.cache
/etc/ld.so.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/50-lib32-libva1.conf
/etc/ld.so.conf.d/50-libva1.conf
/etc/ld.so.conf.d/fakeroot.conf
/etc/ld.so.conf.d/lib32-glibc.conf

Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#4 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,741 posts

Posted 31 May 2019 - 11:14 PM

I read somewhere today (can't remember where) that some of the more UNIX-like distros may not have the ld.so.preload because they don't function like the mainstream Linuxes. Wish I could find where I read that. :( It's a glibc related thing, I think.
Posted Image

Posted Image Support Slackware: https://paypal.me/volkerdi

#5 OFFLINE   Cluttermagnet

Cluttermagnet

    Nocturnal Radio Geek

  • Forum MVP
  • 3,880 posts

Posted 01 June 2019 - 01:35 PM

OMG. Any remaining hunches as to 'security by obscurity' now endangered.
As if I need any more stress in my life right now...

Nice link. Very impressive work. Trouble is, it reads basically as Greek to me.
I doubt there is anything actionable for me here. This is way above my pay
grade...

One question that comes up for me is wondering how one would acquire
this nasty in the wild? Would you have to get suckered into clicking an a
spearfishing link? Or do they just sneak this past all your defenses?
Including routers? I hear there is generalized advice to power down reset
all your routers in the mainstream media lately...

I am reminded of the classic Charlie Chaplin skit where the waiter holding
a tray laden with food keeps getting knocked over by some guy carrying a
ladder. In the final hilarious scene, in Pavlovian conditioned response to
merely *Seeing* the guy with the ladder, the waiter tosses his tray of
food in the air and throws himself to the floor- before even being struck
by the ladder. So does it feel to me, a mere user. Vulnerable. Naked...

And frickin' Mozilla just disabled NoScript and Adblock Plus in my older
copies of FF... Oh joy... I can't get 'em back because I refuse to upgrade
these particular copies of FF because I will lose some extension
functionality I am just not willing to give up... (Session Manager)

Clutter

Edited by Cluttermagnet, 01 June 2019 - 01:39 PM.

Special Limited Edition Cluttermaster 2007 with direct air cooling system.
"ClutterLabs" --open hardware for open software" .......... Registered Linux User 446867


("It takes an entire village to raise a child...")
"It takes only one bulldozer to raze an entire village..."
"Hey, Fred- isn't that your kid driving that bulldozer?"

In loving memory of Bruno Knaapen of Amsterdam, who shared
his love of Linux, and thereby made the world a better place...

#6 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,914 posts

Posted 01 June 2019 - 07:40 PM

@Clutter - you probably will never get touched by Linux malware as a normal user. The most likely way it could get in is by using an insecure old version of a browser!
Firefox has come a long way since they deprecated the old extensions system. A lot of old extensions have been updated or new extensions have appeared to take over their functions.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#7 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 01 June 2019 - 07:41 PM

Also, since this is linux, it will be patched pretty soon anyway.
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#8 OFFLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,976 posts

Posted 02 June 2019 - 09:10 AM

I've never been a fan of the "security by obscurity" hypothesis. There are a lot of Linux servers out there. What security Linux offers has to be through the difficulty any attacker would have to get root access on your system.
This HiddenWasp stuff appears to infect systems that have already been compromised.
It is scary that AV apps aren't finding it but that'll get fixed.
I still believe that Linux is pretty safe - if you are sensible, don't allow root access to anything you don't understand, get your software from the repository.
Posted Image

#9 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 02 June 2019 - 10:43 AM

Agreed :thumbsup:
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#10 OFFLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,976 posts

Posted 02 June 2019 - 10:53 AM

ESET has already added detection for HiddenWasp to their NOD32 AV.
Posted Image

#11 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 02 June 2019 - 02:19 PM

Nice, :thumbsup:
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#12 OFFLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,976 posts

Posted 06 June 2019 - 08:41 AM

Pah! I installed Clam AV and ran a scan on my Linux system. Most of the "threats" were Libre Office macros - a couple of Windows tracking cookies.
Clam AV is OK to disinfect emails sent to Windows users I guess. If I really wanted to have effective Linux AV I'd buy ESET. But smart Linux use is still the best security.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users