Skip to content
UNDER THE RADAR

Advanced Linux backdoor found in the wild escaped AV detection

Fully developed HiddenWasp gives attackers full control of infected machines.

Dan Goodin | 54
Story text

Researchers say they’ve discovered an advanced piece of Linux malware that has escaped detection by antivirus products and appears to be actively used in targeted attacks.

HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer’s post went live, the VirusTotal malware service indicated Hidden Wasp wasn’t detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.

Some of the evidence analyzed—including code showing that the computers it infects are already compromised by the same attackers—indicated that HiddenWasp is likely a later stage of malware that gets served to targets of interest who have already been infected by an earlier stage. It’s not clear how many computers have been infected or how any earlier related stages get installed. With the ability to download and execute code, upload files, and perform a variety of other commands, the purpose of the malware appears to be to remotely control the computers it infects. That's different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies.

Wake up call

“Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms,” Intezer researcher Ignacio Sanmillan wrote in Wednesday’s post. “The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.”

Some of the code appears to be borrowed from Mirai, the Internet-of-things botnet malware whose source code became publicly available in 2016. Other code has similarities to other established projects or malware including the Azazel rootkit, the ChinaZ Elknot implant, and the recently discovered Linux variant of Winnti, a family of malware that previously had been seen targeting only Windows.

In an email, Silas Cutler, lead reverse engineer for Chronicle, the Alphabet-owned security firm that discovered the Winnti Linux variant, wrote:

What was really interesting about the case was that many of the tools for Linux are fairly rudimentary. Even in the case of Winnti-Linux, it was a port of the Windows variant. Borrowing code from open-source projects like Azazel—and (now) Mirai is interesting because ... it may be to masquerade the malware/mislead analysts.

Most Linux malware is, as Intezer stated, focused on DDoS or mining. This malware variant being focused on direct actor control is unique. The intention of this malware . . . is really interesting compared to most *nix stuff. [The developers are] using an open-sourced rootkit to facilitate that access.

The rootkit component, Azazel, is really only for hiding operations. While the Azazel and Mirai links were focused on in the report, ChinaZ elements were reportedly found—which makes me think that the actors were experimenting with combining several tool sets.

The computer that first uploaded one of the HiddenWasp files to VirusTotal used the path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd.. The operators also rented servers from Hong Kong-based server hosting company ThinkDream to host their malware.

One of the files uploaded to VirusTotal, a bash script that appears to have been used for testing purposes, led Intezer researchers to a different file. The new file included the user name and password for accounts that appear to have already been added to give attackers persistent access. This evidence led Intezer to believe the malware gets installed on machines that attackers have already compromised. It’s common for advanced malware to come in two or more stages in an attempt to keep infections from being detected and prevent unintended damage.

Since Wednesday’s post went live, AV detection rates have grown, but at the time Ars published this article, the rates still remained low. Depending on the file being analyzed, the rates ranged from two to 13, out of 59 AV engines tracked.

The VirusTotal links are:

Chronicle researcher Brandon Levene uncovered this additional file.

Wednesday’s post lists indicators of compromise that people can use to tell if their computers have been infected. One telltale sign: “ld.so” files that don’t contain the string “/etc/ld.so.preload.” This is the result of the HiddenWasp trojan trying to patch instances of ld.so to enforce the LD_PRELOAD mechanism from arbitrary locations.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
54 Comments