Malware believed to have been created by Chinese hackers.
Security researchers have found a new strain of Linux malware that appears to have been created by Chinese hackers and has been used as a means to remotely control infected systems.
Named HiddenWasp, this malware is composed of a user-mode rootkit, a trojan, and an initial deployment script.
The malware has a similar structure to another recently-discovered Linux malware strain — the Linux version of Winnti, a famous hacking tool used by Chinese state hackers.
COPY-PASTE JOB? CHINESE ORIGIN?
In a technical report published today, Nacho Sanmillan, a security researcher at Intezer Labs, highlights several connections and similarities that HiddenWasp shares with other Linux malware families, suggesting that some of HiddenWasp code might have been borrowed.
“We found some of the environment variables used in an open-source rootkit known as Azazel,” Sanmillan said.
“In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from [the] Elknot [malware] that could have been shared in Chinese hacking forums,” the researcher added.
Furthermore, Sanmillan also found connections between HiddenWasp and a Chinese open-source rootkit for Linux known as Adore-ng, and even some code reuse with the Mirai IoT malware.
But while HiddenWasp might not be the first malware strain put together by taking code from other projects, the researcher found other interesting clues suggesting that the malware might have been created and operated out of China.
“We observed that [the HiddenWasp] files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd.,” Sanmillan said.
“Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong,” he said.
HIDDENWASP USED AS A SECOND-STAGE PAYLOAD
Speaking to ZDNet, Sanmillan said he wasn’t able to discover how hackers are spreading this new malware strain, although the researcher had his own thoughts on the matter.
“Unfortunately, I don’t know what is the initial infection vector,” Sanmillan told us. “Based on our research, it seems most likely that this malware was used in compromised systems already controlled by the attacker.”
Hackers appear to compromise Linux systems using other methods, and then deploy HiddenWasp as a second-stage payload, which they use to control already-infected systems remotely.
According to Sanmillan, HiddenWasp can interact with the local filesystem; upload, download, and run files; run terminal commands; and more.
“From our research, it looks like an implant from a targeted attack, It’s hard to say if it’s used by [a] nation-sponsored attacker or someone else, but it is definitely not the usual DDOS/mining malware for quick profits.”
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!