Security researchers have discovered a new strain malware named HiddenWasp targeting Linux systems.
The new malware was discovered by security researchers from Intezer cybersecurity firm.
The malware is still active and has a zero detection rate on all major anti-virus systems.
“Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control” said in the technical report published by Ignacio Sanmillan of Intezer cybersecurity firm
HiddenWasp shares many similarities with other malware families such as Mirai and the Azazel rootkit, believing a large amount of code might have been borrowed.
Additionally, the researcher also discovered many similarities between HiddenWasp and other Chinese malware families.
The first step of malware involves running an initial script for the deployment of malware.
In the script, the researcher spotted credentials for a user named ‘sftp’ with a hardcoded password.
The user was created to provide initial persistance to the compromised system and to clean the systems in case the system was already infected.
The script will then download an archive file from the server containing all components of the malware the rootkit, the trojan and an initial deployment script.
After installing the components and the script executes the trojan. The script also adds the trojan binary to /etc/rc.local to make it work even after a reboot.
According to ZDNet who spoke with Sanmillan, he still doesn’t know how the malware is spreading.
He believes the malware was spread in systems which are already controlled by the attacker, using it as a secondary payload.
For more technical details and IOCs visit technical analysis published by the researcher here.
You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows