Linux systems haven’t been targeted as broadly as Windows, and such rare incidence often go undetected by enterprises, as they aren’t always too severe to enjoy wide reportage by security researchers. But lately, Linux ecosystem has become crowded with DDoS botnets and crypto-mining malware, albeit it isn't very common to spot the trojans or backdoors in the wild.
The cybersecurity firm, Intezer reported a malware with sophisticated techniques, which utilizes the already available open source code, dubbed HiddenWasp. And the malware is marked as high risk and dangerous at the moment, more so as it has a zero detection rate in all the popular anti-malware systems.
HiddenWasp code reveals close tie with the various publicly available open-source malware, such as Mirai and Azazel rootkit, while there are more similarities between the malware and some Chinese malware variants, though the attribution is quite of low confidence.
Unlike malware on Windows, open-source ecosystem like Linux has a high ratio of publicly available code that can be duplicated by attackers, and the malware authors invest less effort in the rewriting of their implants.
The malware involves the running of the initial script for the deployment, which script user is named ‘sftp’ with a hardcoded password; it clears the system in order to get rid of older versions of malware in case the machine is already infected.
HiddenWasp isn't focused on DDoS activity or crypto-mining, as the Trojan is purely used in targeted remote control. And the researchers still hasn't unraveled the actual infection vector, rather it is suspected that the malware spreads in systems already controlled by the hackers, which could mean that HiddenWasp is used merely as a secondary payload.