Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Advanced Linux Backdoor Found in the Wild Escaped AV Detection

Accepted submission by Fnord666 at 2019-05-31 04:41:06
Security

Fnord666 [soylentnews.org] writes:

Researchers say they've discovered an advanced piece of Linux malware that has escaped detection by antivirus products and appears to be actively used in targeted attacks.

HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday [intezer.com]. At the time Intezer's post went live, the VirusTotal malware service indicated Hidden Wasp wasn't detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.

Some of the evidence analyzed—including code showing that the computers it infects are already compromised by the same attackers—indicated that HiddenWasp is likely a later stage of malware that gets served to targets of interest who have already been infected by an earlier stage. It's not clear how many computers have been infected or how any earlier related stages get installed. With the ability to download and execute code, upload files, and perform a variety of other commands, the purpose of the malware appears to be to remotely control the computers it infects. That's different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies.

[...] Since Wednesday's post went live, AV detection rates have grown, but at the time Ars published this article, the rates still remained low. Depending on the file being analyzed, the rates ranged from two to 13, out of 59 AV engines tracked.

[...] Wednesday's post lists indicators of compromise that people can use to tell if their computers have been infected. One telltale sign: "ld.so" files that don't contain the string "/etc/ld.so.preload." This is the result of the HiddenWasp trojan trying to patch instances of ld.so to enforce the LD_PRELOAD mechanism from arbitrary locations.

Source:
https://arstechnica.com/information-technology/2019/05/advanced-linux-backdoor-found-in-the-wild-escaped-av-detection/ [arstechnica.com]

Original Submission