Security Market Segment LS
Friday, 31 May 2019 08:11

Intezer team finds unknown malware that attacks Linux systems

Intezer team finds unknown malware that attacks Linux systems Image by OpenClipart-Vectors from Pixabay

Researchers from security firm Intezer Labs say they have found malware, which they have named HiddenWasp, that targets Linux systems and is not detected by most anti-virus engines.

Intezer's Ignacio Sanmillan said in a blog post that, unlike many common strains of malware, which were used to facilitate DDoS attacks or cryptocurrency mining, HiddenWasp appeared to be making the Linux systems it attacked available for later use by the attackers in question. The exact purpose of the whole campaign was not known or indicated.

The malware uses code from a large number of other open source efforts, such as the Mirai botnet and the Azazel rootkit. HiddenWasp had its own user-mode rootkit, a trojan and an initial deployment script, Sanmillan said.

After gaining access to a system through the rootkit, the malware then ran the deployment script; one of the things it did was to create an sftp user with a hard-coded password.

Sanmillan said the malware implants appeared to be hosted by a company known as ThinkDream in Hong Kong. Judging from samples of the malware uploaded to the database VirusTotal, he said there seemed to be a bash script along with a trojan implant binary.

The Google-owned VirusTotal scans uploaded files with a number of virus-detection engines from different companies and indicates how many have detected the sample as being malware. In the case of HiddenWasp, no engine was able to detect it as malware.

The files had been uploaded to VirusTotal using a path with the name of a China-based forensics firm known as Shen Zhou Wang Yun Information Technology Co., Ltd.

Sanmillan said Intezer researchers used the bash script to download other artifacts which were not uploaded to VirusTotal. The trojan component had some code similarities to an implant known as Elknoz associated with a group that goes by the name ChinaZ.

"...the rootkit and trojan work together in order to help each other to remain persistent in the system, having the rootkit attempting to hide the trojan and the trojan enforcing the rootkit to remain operational," he wrote.

The trojan enforced evasion of some artifacts, all of which were found to be part of a Chinese open-source rootkit known as Adore-ng.

"The fact that these artifacts are being searched for suggests that potentially targeted Linux systems by these implants may have already been compromised with some variant of this open-source rootkit as an additional artifact in this malware’s infrastructure," Sanmillan noted.

"Although those paths are being searched for in order to hide their presence in the system, it is important to note that none of the analysed artifacts related to this malware are installed in such paths.

"This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign."


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments