Intezer's Ignacio Sanmillan said in a blog post that, unlike many common strains of malware, which were used to facilitate DDoS attacks or cryptocurrency mining, HiddenWasp appeared to be making the Linux systems it attacked available for later use by the attackers in question. The exact purpose of the whole campaign was not known or indicated.
The malware uses code from a large number of other open source efforts, such as the Mirai botnet and the Azazel rootkit. HiddenWasp had its own user-mode rootkit, a trojan and an initial deployment script, Sanmillan said.
After gaining access to a system through the rootkit, the malware then ran the deployment script; one of the things it did was to create an sftp user with a hard-coded password.
The Google-owned VirusTotal scans uploaded files with a number of virus-detection engines from different companies and indicates how many have detected the sample as being malware. In the case of HiddenWasp, no engine was able to detect it as malware.
The files had been uploaded to VirusTotal using a path with the name of a China-based forensics firm known as Shen Zhou Wang Yun Information Technology Co., Ltd.
Sanmillan said Intezer researchers used the bash script to download other artifacts which were not uploaded to VirusTotal. The trojan component had some code similarities to an implant known as Elknoz associated with a group that goes by the name ChinaZ.
"...the rootkit and trojan work together in order to help each other to remain persistent in the system, having the rootkit attempting to hide the trojan and the trojan enforcing the rootkit to remain operational," he wrote.
The trojan enforced evasion of some artifacts, all of which were found to be part of a Chinese open-source rootkit known as Adore-ng.
"The fact that these artifacts are being searched for suggests that potentially targeted Linux systems by these implants may have already been compromised with some variant of this open-source rootkit as an additional artifact in this malware’s infrastructure," Sanmillan noted.
"Although those paths are being searched for in order to hide their presence in the system, it is important to note that none of the analysed artifacts related to this malware are installed in such paths.
"This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign."