Last Wednesday, the security signature of Intezer reported the existence of HiddenWasp, a new advanced Linux malware that has managed to circumvent antivirus detection and that has apparently already been used in targeted attacks. HiddenWasp is in fact a whole malicious suite that includes a trojan, a rootkit, and a distribution script that was not detected by any of the company's 59 antivirus engines at the time of the discovery.
The malware was created in April, according to Intezer, and the command and control server used by the suite to attack malware-affected systems still appears to be up and running. The security company has discovered, thanks to the clues analyzed, that the malware is likely at an advanced stage of the attack, with attackers who have already begun to serve advanced code on the systems of interest after inoculating a first embryonic version infection system.
The attackers can download and execute code with the most advanced version of the malicious package, upload files and execute various commands to remotely control the infected computers. This is almost a novelty on Linux, where most malware is used for cryptocurrency mining or DDoS attacks.
Ignacio Sanmillan of Intezer wrote: "Malware for Linux could present new challenges that have never been seen on other platforms. The fact that this malware can go unnoticed should sound like a wake-up call to the security industry, so that the latter can allocate more effort and resources to detect these threats."
Part of the code used on HiddenWasp appears to be borrowed from Mirai, while other parts have similar aspects to already consolidated malware in the environment, such as the Azazel or Winnti-Linux rootkit, porting the Windows variant.
From Intezer's release of the backdoor, HiddenWasp antivirus surveys have grown, although it's all going a little slowly. The company also released some information on Wednesday to check the presence of the infection on its systems, such as the presence of "ld.so" files that do not contain the"/ etc / ld.so.preload" string. This is necessary for malware operation as the attack provides for the modification of the instances of ld.so to force the activities foreseen by the aggression.