HiddenWasp new malware designed for Linux machines to manage them remotely. Unlike the Windows cyber security ecosystem, threats related to Linux systems are not often discussed in sufficient detail. The attacks are either not detected by security mechanisms developed by enterprises, or they are not too serious to be widely reported by security researchers. Unlike Windows malware, the authors of Linux malware seem not to invest too much in writing their implants. In an open source ecosystem, there is a large amount of publicly available code that can be copied and adapted by attackers.
In addition, antivirus solutions for Linux are generally not as robust as on other platforms. Thus, the subjects of threats aimed at Linux systems are less concerned with the implementation of methods of excessive evasion, since even with repeated use of a large amount of code, threats are relatively able to remain in sight.
The first step of the HiddenWasp Linux malware involves running the original script to deploy malware. The hidden script uses a user named sftp with a hard-coded password and cleans the system to destroy old versions of malware in case the machine has already been infected. Next, an archive file is loaded from the server, which contains all the components, including the rootkit and the Trojan. The script also tries to add a binary Trojan in to work even after a reboot. /etc/rc.local
The rootkit associated with malware has a lot in common with the Azazel open source rootkit. It also shares parts of the lines with the ChinaZ malware, Adore-ng and Mirai rootkits. Talking about the capabilities of this hidden malware for Linux, it can run commands on the terminal, execute files, load more scripts, and so on.