Unlike the Windows cybersecurity ecosystem, the threats concerning the Linux systems aren’t often discussed in much detail. The attacks either go undetected by the security mechanisms laid out by enterprises or they aren’t too severe to be reported widely by the security researchers.
However, as pointed out by cybersecurity firm Intezer, malware with sophisticated evasion techniques, which often utilize the already available open source code, do appear on the horizon from time to time. One such recent malware discovered by the firm is HiddenWasp. What makes HiddenWasp pretty dangerous at the moment is the fact that it has a zero detection rate in all popular malware protection systems.
How does HiddenWasp attack Linux machines?
The first step of the HiddenWasp Linux malware involves the running of the initial script for the deployment of malware. The hidden script uses a user named ‘sftp’ with a hardocded password and cleans the system to eradicate older versions of malware in case the machine was already infected.
Further, it proceeds to download an archive file from the server that contains all the components — including the rootkit and the trojan. The script also attempts to add the trojan binary to /etc/rc.local to work even after a reboot.
The rootkit involved in the malware shares lots of similarities with the open source rootkit Azazel. It also shares parts of strings with ChinaZ malware, Adore-ng rootkit, and Mirai malware. Talking about the capabilities of this stealthy Linux malware, it can run commands on the terminal, execute files, download more scripts, etc.
However, security researchers still don’t know the actual infection vector; they suspect that the malware was spread in systems already controlled by the hackers. So, it could be said that HiddenWasp is being used as a secondary payload.
If you’re interested in knowing about HiddenWasp Linux malware in detail, feel free to read the technical analysis of the same on Intezer blog.