Security Market Segment LS
Friday, 31 May 2019 08:11

Intezer team finds unknown malware that attacks Linux systems

Intezer team finds unknown malware that attacks Linux systems Image by OpenClipart-Vectors from Pixabay

Researchers from security firm Intezer Labs say they have found malware, which they have named HiddenWasp, that targets Linux systems and is not detected by most anti-virus engines.

Intezer's Ignacio Sanmillan said in a blog post that, unlike many common strains of malware, which were used to facilitate DDoS attacks or cryptocurrency mining, HiddenWasp appeared to be making the Linux systems it attacked available for later use by the attackers in question. The exact purpose of the whole campaign was not known or indicated.

The malware uses code from a large number of other open source efforts, such as the Mirai botnet and the Azazel rootkit. HiddenWasp had its own user-mode rootkit, a trojan and an initial deployment script, Sanmillan said.

After gaining access to a system through the rootkit, the malware then ran the deployment script; one of the things it did was to create an sftp user with a hard-coded password.

Sanmillan said the malware implants appeared to be hosted by a company known as ThinkDream in Hong Kong. Judging from samples of the malware uploaded to the database VirusTotal, he said there seemed to be a bash script along with a trojan implant binary.

The Google-owned VirusTotal scans uploaded files with a number of virus-detection engines from different companies and indicates how many have detected the sample as being malware. In the case of HiddenWasp, no engine was able to detect it as malware.

The files had been uploaded to VirusTotal using a path with the name of a China-based forensics firm known as Shen Zhou Wang Yun Information Technology Co., Ltd.

Sanmillan said Intezer researchers used the bash script to download other artifacts which were not uploaded to VirusTotal. The trojan component had some code similarities to an implant known as Elknoz associated with a group that goes by the name ChinaZ.

"...the rootkit and trojan work together in order to help each other to remain persistent in the system, having the rootkit attempting to hide the trojan and the trojan enforcing the rootkit to remain operational," he wrote.

The trojan enforced evasion of some artifacts, all of which were found to be part of a Chinese open-source rootkit known as Adore-ng.

"The fact that these artifacts are being searched for suggests that potentially targeted Linux systems by these implants may have already been compromised with some variant of this open-source rootkit as an additional artifact in this malware’s infrastructure," Sanmillan noted.

"Although those paths are being searched for in order to hide their presence in the system, it is important to note that none of the analysed artifacts related to this malware are installed in such paths.

"This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments