Researchers at Intezer have discovered a new and dangerous Linux-based malware that has escaped detection by antivirus products and appears to be actively used in targeted attacks.
The malware, dubbed, HiddenWasp, uses code from “various publicly available open-source malware, such as Mirai and the Azazel rootkit.” Although it appears to have been created last month, what makes HiddenWasp dangerous is that, at the moment, it has a zero detection rate in all popular malware protection systems.
Currently, it is not clear how systems are becoming infected with the malware, but in a blog post, Ignacio Sanmillian, a researcher at Intezer, explains the infection process saying that it involves the creation of a new user account, seemingly to allow hackers to be able to access the infected system even if HiddenWasp is removed.
Sanmillian also wrote:
We analyzed every component of HiddenWasp explaining how the rootkit and trojan implants work in parallel with each other in order to enforce persistence in the system.
We have also covered how the different components of HiddenWasp have adapted pieces of code from various open-source projects. Nevertheless, these implants managed to remain undetected.
Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.
Linux malware will continue to become more complex over time and currently even common threats do not have high detection rates, while more sophisticated threats have even lower visibility.
For a more detailed analysis on the HiddenWasp malware, click here.