Security researchers have discovered a new strain of malware called “HiddenWasp” that they believe is being used in targeted attacks to seize control of Linux systems and open backdoors for remote hackers.

According to a blog post by researchers at Intezer, the malware borrows from existing malware code publicly available on the internet including the Azazel rootkit and the notorious Mirai worm.

The researchers say there are similarities between HiddenWasp and the Linux branch of the Winnti malware family, as the malware contains a user-mode rootkit, a Trojan horse and an initial deployment script.

In its initial deployment script, HiddenWasp sets up a user named ‘sftp’ on the compromised system with a hardcoded password. It would appear that the script does this to allow hackers to continue to gain access to targeted systems even if their malware is later spotted and removed.

The malicious script can also clean up older versions of HiddenWasp on infected systems and download a tar-compressed archive containing all of its components, thereby providing a means to ensure compromised computers are running the latest version.

Clues scattered within the code, as well as similarities with previously-discovered malware, point a finger of suspicion towards China, though Intezer’s researchers admit that the attribution should only be made with “low confidence.”

We noticed that the trojan has code connections with ChinaZ’s Elknot implant in regards to some common MD5 implementation in one of the statically linked libraries it was linked with.

In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from Elknot that could have been shared in Chinese hacking forums.

So, how does HiddenWasp end up infecting systems running Linux?

Unfortunately, the security (Read more...)