Researchers have recently uncovered a malware being called “HiddenWasp,” which targets Linux Systems. HiddenWasp uses the code from multiple different strains of malware to perform its tasks. Similar to the Winnti malware strain, a basic overview of the malicious software reveals that it consists of an initial deployment script, a user-mode rootkit, and a trojan. Files pertaining to the malware were found on VirusTotal and included a bash script that releases the malware and after it is executed, it downloads a tar compressed archive. In that archive are the three parts that makeup HiddenWasp. A majority of the code is from the Azazel rootkit and similar pieces to the Mirai botnet make up the user-mode rootkit. HiddenWasps trojan is made up of statically-linked ELF binary in connection with stdlibc++, as well as code from a malware that can perform DDoS attacks known as Elknot. What’s dangerous about HiddenWasp is that it has a zero percent detection rate on Linux systems. Researchers stated, “Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake-up call for the security industry to allocate greater efforts or resources to detect these threats.”
Analyst Notes
Since this particular strain of malware is undetectable on Linux systems, it is difficult to determine a mitigation tactic until Linux is able to develop a solution. As for other malware affecting Linux systems, users should keep their systems updated and only trust known networks. Firewalls can also be running, which would prevent unknown entities from connecting to the users’ network. Antivirus scans should also be run occasionally and backing up data regularly is also suggested.
