Warning over 'HiddenWasp' Linux backdoor undetectable by antivirus software

China-linked HiddenWasp Linux malware is being used in sophisticated, targeted attacks

Security researchers have discovered a new form of malware targeting Linux.

The 'HiddenWasp' backdoor, found by security firm Intezer, is particularly dangerous because it is still active and, they claim, is able to evade detection by all major antivirus security software products.

Intezer said the malware is unlike common Linux malware because rather than focusing on crypto-mining or DDoS activity, it is "a Trojan purely used for targeted remote control".

HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware

According to the firm, it is highly probable that the malware is being "used in targeted attacks for victims who are already under the attacker's control, or have gone through a heavy reconnaissance".

"HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit," wrote security expert Ignacio Sanmillan.

"In addition, there are some similarities between this malware and other Chinese malware families; however, the attribution is made with low confidence."

After performing a technical analysis, the researchers found that the majority of the code was unique. It is comprised of a user-mode rootkit, a Trojan and an initial deployment script.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

In his research, Ignacio Sanmillan argued that Linux malware authors do not seem to invest too much effort writing their implants when compared to Windows malware.

He explained: "In an open-source ecosystem there is a high ratio of publicly available code that can be copied and adapted by attackers.

"In addition, anti-virus solutions for Linux tend to not be as resilient as in other platforms. Therefore, threat actors targeting Linux systems are less concerned about implementing excessive evasion techniques since, even when re-using extensive amounts of code, threats can relatively manage to stay under the radar.

"Nevertheless, malware with strong evasion techniques do exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilize strong evasion techniques and can be easily adapted by attackers."

There are some similarities between this malware and other Chinese malware families; however, the attribution is made with low confidence

Sanmillan said this malware is alarming the security community "since many implants today have very low detection rates, making these threats difficult to detect and respond to".

When it comes to mitigating these risks, he recommends:

"In addition, in order to check if your system is infected, you can search for "ld.so" files — if any of the files do not contain the string ‘/etc/ld.so.preload', your system may be compromised," added Sanmillan.

"This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations."

Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.

Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?