HiddenWasp Malware Stings Targeted Linux Systems (May 29, 2019)
A new malware named “HiddenWasp” has been found targeting Linux systems, according to Intezer researchers. The malware is a trojan used for targeted remote control of a system utilizing advanced evasion techniques. Due to analysis on the infected systems, it appears as the target systems may already be under control from attackers or another group working aside this threat group. Using a deployment script, trojan and rootkit, the threat actors behind this malware can gain remote access to a target system, and enforcing persistence. As the malware creates a new sftp, the actors can still have access to the system even when HiddenWasp is removed.
Recommendation: To check if your system is affected, users can search for “ld.so” files, if they do not contain the string ‘/etc/ld.so.preload’ the system may be infected. To protect against trojans ensure your firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network in order to spot unusual traffic to identify potential malicious traffic.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.