Security researchers have found a new strain of Linux malware that appears to have been created by Chinese hackers and has been used as a means to remotely control infected systems.
Named HiddenWasp, this malware is composed of a user-mode rootkit, a trojan, and an initial deployment script.
The malware has a similar structure to another recently-discovered Linux malware strain — the Linux version of Winnti, a famous hacking tool used by Chinese state hackers.
Copy-paste job? Chinese origin?
In a technical report published today, Nacho Sanmillan, a security researcher at Intezer Labs, highlights several connections and similarities that HiddenWasp shares with other Linux malware families, suggesting that some of HiddenWasp code might have been borrowed.
“We found some of the environment variables used in a open-source rootkit known as Azazel,” Sanmillan said.
“In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from [the] Elknot [malware] that could have been shared in Chinese hacking forums,” the researcher added.
Furthermore, Sanmillan also found connections between HiddenWasp and a Chinese open-source rootkit for Linux known as Adore-ng, and even some code reuse with the Mirai IoT malware.
But while HiddenWasp might not be the first malware strain put together by taking code from other projects, the researcher found other interesting clues suggesting that the malware might have been created and operated out of China.
“We observed that [the HiddenWasp] files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd.,” Sanmillan said.
“Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong,” he said.
HiddenWasp used as a second-stage payload
Speaking to ZDNet, Sanmillan said he wasn’t able to discover how hackers are spreading this new malware strain, although the researcher had his own thoughts on the matter.
“Unfortunately, I don’t know what is the initial infection vector,” Sanmillan told us. “Based on our research, it seems most likely that this malware was used in compromised systems already controlled by the attacker.”
Hackers appear to compromise Linux systems using other methods, and then deploy HiddenWasp as a second-stage payload, which they use to control already-infected systems remotely.
According to Sanmillan, HiddenWasp can interact with the local filesystem; upload, download, and run files; run terminal commands; and more.
“From our research, it looks like an implant from a targeted attack,” Sanmilan told ZDNet. “It’s hard to say if it’s used by [a] nation-sponsored attacker or someone else, but it is definitely not the usual DDOS/mining malware for quick profits.”
For now, the mystery still remains about who developed this tool, and in what attacks has this been deployed. Sanmillan has published indicators of compromise (IOCs) and YARA rules that companies can use to scan and detect any infections with HiddenWasp.
Related malware and cybercrime coverage: