Security researchers have discovered malware designed to target Linux systems to control them.
Called HiddenWasp, the malware’s authors have taken code from various publicly available open-source malware, such as Mirai and the Azazel rootkit. Researchers said that there are some similarities between this malware and other Chinese malware families, however it was a 'low confidence' attribution.
The malware comprises a user-mode rootkit, a trojan, and an initial deployment script. Despite the malware borrowing code from other malware, it has a zero-detection rate in all major anti-virus systems.
"Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control," said Ignacio Sanmillan, a security researcher at Intezer Labs.
In a blog post, Sanmillan said that the malware’s script has the credentials of a user named ‘sftp’, including its hardcoded password. This script proceeds to clean the system as a means to update older variants if the system was already compromised.
It then downloads a compressed archive from a download server according to the architecture of the compromised system. This tarball will contain all of the components from the malware, containing the rootkit, the trojan and an initial deployment script.
Sanmillan said that evidence shows there is a high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control or have gone through a heavy reconnaissance.
"The target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign," he said.
Tom Hegel, security researcher at AT&T Alien Labs, told SC Media UK that his firm linked the HiddenWasp malware, which is a Linux implant, to the Winnti Umbrella (cluster of adversaries).
"There are a lot of unknowns, as pieces of this toolkit have a few code overlaps/reuse with various open source tools. However based on a large pattern of infrastructure overlap and design, in addition to its use on targets, we assess with high confidence the association to the Winnti Umbrella," he said.
Boris Cipot, senior security engineer at Synopsys, told SC Media UK that whether the malware was developed to attack a certain target, nor its motivation, is not known.
"However we can see that the attack is not motivated by crypto-mining or for other quick profit activities, but as a malware intended to control the compromised systems," he said.
"Intezer gave signatures in the form of YARA rules so that organisations can look for artifacts of the malware in the memory of their Linux systems. Blocking the Command and Control IP addresses to which the malware connects is recommended as soon as possible so that the malware does not change the current communication path or actions. It would be recommended to also observe the network traffic for unusual downloads or uploads and files access on systems."