Over the years there have been numerous examples of distributed denial of service (DDoS) designed to be executed on Linux machines and servers. With the advent of the Internet of Things, the number of devices available to be controlled by attackers has skyrocketed and along with it numerous versions of botnets. Cryptominers have also come to be a common foe for Linux admins. It is rare to see Linux based malware in other forms be they trojans or backdoors. According to researchers based at security firm Intezer have discovered a previously undetected malware strain targeting Linux systems. In a report published by the researcher, Ignacio Sanmillan, the malware employs advanced evasion techniques with the use of rootkits to leverage trojan-based payloads.
The malware called HiddenWasp seems to base most of its code on the recently-discovered Linux malware strain Winniti, a hacking tool alleged developed by state-sponsored Chinese hackers.
The report published by Intezer highlights several similarities between HiddenWasp and the Linux version of Winniti. According to the researchers, both share some of the environment variables used in an open-source rootkit known as Azazel. Further researchers stated,
“In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from [the] Elknot [malware] that could have been shared in Chinese hacking forums”
Not only that but HiddenWasp further shares certain connections with HiddenWasp and a Chinese open-source rootkit for Linux known as Adore-ng, and even some code reuse with the Mirai IoT malware.
It is not uncommon for hackers and other threat actors to copy and paste bits of code taken from other malware strains. However, researchers found some interesting clues which may suggest that HiddenWasp is being operated from within China. It was stated by the researchers that,
“We observed that [the HiddenWasp] files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd. Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong,”
As HiddenWasp has only recently been discovered not much is known about the malware. As of yet, the chosen infection vector is still unknown but it may be distributed to already compromised machines. If this is the case then HiddenWasp is a second stage payload with the attacker choosing to first compromise targeted machines using other tools then installing HiddenWasp once access to a system has been granted. Once installed HiddenWasp is designed to interact with local file systems and can upload, download, and run files. From the initial investigation, it also appears the malware is capable of running terminal commands. Perhaps HiddenWasp’s most defining feature is its ability to remain undetected on compromised systems. This led researchers to conclude that if this trend in more sophisticated Linux malware continues,
“Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake-up call for the security industry to allocate greater efforts or resources to detect these threats.”
As was mentioned above HiddenWasp shares more than a few similarities with Winniti. The latter also made headlines recently as a Linux variant of the malware was discovered by Chronicle. From there analysis, the Linux variant shares far too much in common with the Windows version to be considered a unique malware specimen of its own. Researchers found that included a similar way in which the Linux variant handled outbound communications with its command-and-control (C&C) server. The server itself used a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols) as seen with the Windows variant. The Linux version further possessed another feature that was distinctive to the Windows version, which was the ability for Chinese hackers to initiate connections to infected hosts without going through the C&C servers. This secondary communication method could, in theory, allow Winniti operators to access networks they had been booted from previously. Like with HiddenWasp, Winniti consists of two parts, a rootkit, and a backdoor.
The researchers, in this case, shared a similar conclusion to the ones investigating HiddenWasp, stating that,
“The threat actors utilizing this toolset have repeatedly demonstrated their expertise in compromising Windows-based environments. An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemetry blindspot in many enterprises, as is with Penguin Turla and APT28’s Linux XAgent variant.”
With the emergence of both HiddenWasp and Winniti, in particular, the Linux variant, it is becoming clear that state-sponsored and nation-state threat actors are not bound by false assumptions assuming they will only target Windows machines. While still, relatively rare Linux malware does exist and attackers will use whatever tools they need to get the job done regardless of the operating system. It has been suggested that the prevalence of Linux malware, especially those designed by state-sponsored groups, is far less than Windows instances because Linux provides ample opportunity for actors to live off the land which renders customized tooling unnecessary. This “live of the land” approach means that hackers simple use legitimate tools to unlock a backdoor into a system. If a tool already exists why spend time creating one to do the exact same purpose. Such tactics have become increasingly favored by state-sponsored groups as it increases their ability to remain undetected for extended periods of time.