photo courtesy of: pixabay.com
(Reference: www.intezer.com )
An American Cybersecurity company, Intezer, discovered a new malware on Linux operating system on May19th, 2019. Key takeaways are as below:
- A new and sophisticated malware named “HiddenWasp” is targeting Linux systems.
- The malware is still active and has a zero-detection rate in all major anti-virus systems. (on May19th, 2019)
- Rather than focusing on crypto-mining or DDoS activity as common Linux malware, “HiddenWasp” is purely used for targeted remote control.
- Evidence shows in high probability that the malware is applied in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.
- Possible adversary: Winnti
Further information, please check the following link: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
Zero detection on Virustotal on 19th May
ThreatSonar Linux scanner
ThreatSonar scanner (ver. 20190413) supports Linux operating system such as CentOS, RHEL, Debian, Ubuntu and OpenSUSE.
Our analyst discovered “HiddenWasp” contains rootkit that is able to hide itself from detection. However, ThreatSonar is capable of identifying related shell script and listing them as the highest threat level.
ThreatSonar detects related shell script of HiddenWasp
You can find our demo video from the link below: https://drive.google.com/open?id=13EybLqxAPeO1-E2OzjHKVvdCzHfK6FVL
Bring Your Own Intelligence
TeamT5 optimized the Intezer’s yara rule for “HiddenWasp” . We suggest importing it to ThreatSonar as the steps below:
- Go to “Custom Yara”.
- Click “Add Ruleset” and paste the yara rule to the editor.
- Set “Ruleset Threat Level” and enable it.
- Click “Create Ruleset” to finish.
Built-in yara rule editor
IoC of “HiddenWasp”  can be imported to ThreatSonar for direct match as well.
Should you have any questions, please contact [email protected]