A sophisticated malware campaign dubbed “HiddenWasp” is targeting Linux systems with the goal of targeted remote control. Some researchers have linked the malware to the Winnti Umbrella cluster of advisaries but attribution is uncertain at the moment.
Unlike other Linux malware, HiddenWasp’s goal isn’t to mine cryptocurrency or launch DDoS activity but instead in targeted attacks for victims who are already under the attackers control or have already been under heavy reconnaissance, according to a May 29 Intezer blog post.
Researchers said the malware has a zero-detection rate in all major anti-virus systems and is still active with evidence that its authors adopted a large amount of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit.
“In addition, Anti-Virus solutions for Linux tend to not be as resilient as in other platforms,” researchers said in the report. “Therefore, threat actors targeting Linux systems are less concerned about implementing excessive evasion techniques since even when reusing extensive amounts of code, threats can relatively manage to stay under the radar.”
HiddenWasp is also similar to other Chinese malware families however researchers weren’t confident in making the attribution. The malware appears to be hosted in servers from a Hong Kong-based company known as ThinkDream.
Tom Hegel, security researcher, AT&T Cybersecurity’s Alien Labs said their firm has linked HiddenWasp t, to the Winnti Umbrella (cluster of adversaries).
“There are a lot of unknowns, as pieces of this toolkit have a few code overlaps/reuse with various open source tools,” Hegel said. “However based on a large pattern of infrastructure overlap and design, in addition to its use on targets, we assess with high confidence the association to the Winnti Umbrella.”
Researcher warn Linux malware like this will continue to become more complex over time and that as they become more sophisticated they will be even more difficult to detect.