Malware believed to have been created by Chinese hackers.
Security researchers have found a new strain of Linux malware that appears to have been created by Chinese hackers and has been used as a means to remotely control infected systems.
Named HiddenWasp, this malware is composed of a user-mode rootkit, a trojan, and an initial deployment script.
The malware has a similar structure to another recently-discovered Linux malware strain — the Linux version of Winnti, a famous hacking tool used by Chinese state hackers.
COPY-PASTE JOB? CHINESE ORIGIN?
In a technical report published today, Nacho Sanmillan, a security researcher at Intezer Labs, highlights several connections and similarities that HiddenWasp shares with other Linux malware families, suggesting that some of HiddenWasp code might have been borrowed.
“We found some of the environment variables used in an open-source rootkit known as Azazel,” Sanmillan said.
“In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from [the] Elknot [malware] that could have been shared in Chinese hacking forums,” the researcher added.
Furthermore, Sanmillan also found connections between HiddenWasp and a Chinese open-source rootkit for Linux known as Adore-ng, and even some code reuse with the Mirai IoT malware.
But while HiddenWasp might not be the first malware strain put together by taking code from other projects, the researcher found other interesting clues suggesting that the malware might have been created and operated out of China.
“We observed that [the HiddenWasp] files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd.,” Sanmillan said.
“Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong,” he said.
HIDDENWASP USED AS A SECOND-STAGE PAYLOAD
Speaking to ZDNet, Sanmillan said he wasn’t able to discover how hackers are spreading this new malware strain, although the researcher had his own thoughts on the matter.
“Unfortunately, I don’t know what is the initial infection vector,” Sanmillan told us. “Based on our research, it seems most likely that this malware was used in compromised systems already controlled by the attacker.”
Hackers appear to compromise Linux systems using other methods, and then deploy HiddenWasp as a second-stage payload, which they use to control already-infected systems remotely.
According to Sanmillan, HiddenWasp can interact with the local filesystem; upload, download, and run files; run terminal commands; and more.
“From our research, it looks like an implant from a targeted attack, It’s hard to say if it’s used by [a] nation-sponsored attacker or someone else, but it is definitely not the usual DDOS/mining malware for quick profits.”
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 serverSome of the world’s biggest companies have had 750GB worth of their innermost secrets revealed on unsecured Amazon S3 buckets, available for anybody to download – no...
New Microsoft Excel Attack SurfacesResearchers have identified a security hole in Microsoft Office’s Excel spreadsheet program that allows an attacker to trigger a malware attack on remote systems. A feature in Microsoft Office’s Excel spreadsheet program called Power...
Malicious URL attacks using HTTPS surge across the enterpriseCyberattacks launched against the enterprise which makes use of the HTTPS protocol are increasing alongside spoofing and cloud-based threats, new research suggests. According to FireEye's Q1 2019 Email...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!