Security researchers have found a new strain of Linux malware that appears to have been created by Chinese hackers and has been used as a means to remotely control infected systems. Named HiddenWasp, this malware is composed of a user-mode rootkit, a trojan, and an initial deployment script.
Newly discovered HiddenWasp Linux malware shares similarities with DDoS malware, but is actually a backdoor, @ulexec found https://t.co/0jpRUEUGEn pic.twitter.com/seLAFKjmBT
— Virus Bulletin (@virusbtn) May 30, 2019
Tom Hegel, Security Researcher at AT&T Alien Labs:
“We link the HiddenWasp malware, which is a Linux implant, to the Winnti Umbrella (cluster of adversaries). There are a lot of unknowns, as pieces of this toolkit have a few code overlaps/reuse with various open source tools. However based on a large pattern of infrastructure overlap and design, in addition to its use on targets, we assess with high confidence the association to the Winnti Umbrella.”
Tim Erlin, VP, Product Management and Strategy at Tripwire:
“HiddenWasp isn’t unique in its technology, other than being targeted at Linux. If you’re monitoring your Linux systems for changes to critical files, or for new files appearing, or for other suspicious changes, you’re likely to identify malware like HiddenWasp. You might not know what it is at first, but catching the changes this malware makes will give you an edge on mean time to recovery.”