This blog post was featured as contributing content for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC).

The Linux threat ecosystem is crowded with IoT DDoS botnets and crypto-mining malware. However, with low detection rates in nearly all leading anti-virus solutions, Linux threats pose new challenges to the information security community that have not been observed previously in other operating systems.

The low detection rates in anti-virus solutions can likely be attributed to the rapid growth of modern, cloud-based infrastructure in recent years. However, as the information security community has struggled to find a consistent solution, malware authors have been quick to capitalize.

Linux malware authors do not invest much time or effort in writing their implants. This is because in an open-source ecosystem, there is a high ratio of publicly available code that can be quickly copied and adapted by adversaries in order to produce their own malware. In addition, as anti-virus solutions for Linux have proven to be less resilient in comparison to other platforms, adversaries have become less concerned about implementing excessive evasion techniques because even when they reuse extensive amounts of code, threats have relatively managed to stay under the radar.

Malware with strong evasion techniques, however, do exist within the Linux platform. There is a high ratio of publicly available open-source malware that utilize strong evasion techniques and can be easily adapted by adversaries.

Advanced HiddenWasp Malware Stings Targeted Linux Systems

Researchers at Intezer recently discovered an undetected malware targeting Linux systems. The malware—which the researchers named HiddenWasp—was enforcing advanced evasion techniques with the use of rootkits in order to avoid detection.

HiddenWasp is a fully developed suite of malware that includes a trojan, rootkit and an initial deployment script. The malware is used for targeted attacks against victims who have already been infected. HiddenWasp has the ability to download and execute code, upload files and perform a variety of commands, for the sole purpose of gaining remote control over the infected system. This is different from common Linux malware, which perform distributed denial-of-service (DDoS) attacks or mine cryptocurrencies.

In addition, HiddenWasp authors have adopted large portions of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit, and there are similarities between the malware and other Chinese malware families.

At the time the research was published, HiddenWasp had a zero-detection rate in all major anti-virus systems. Since then, some—but not all—of the engines in VirusTotal have begun to flag the malware.

The technical analysis published by Intezer also includes relevant IOCs (IP addresses to block) and a YARA rule for preventing and responding to future variants of this threat.

The recent discovery of HiddenWasp further supports the notion that Linux threats will become more complex over time, and the information security community needs to allocate additional resources to more effectively detect and respond to these threats at scale.

Upcoming Webinar

On Wednesday, July 10 at 11:00 am ET RH-ISAC associate member Intezer will provide further context into threats developing on Linux-based machines.

Topics covered will include:

• Recent history and analysis of Linux threats, including crypto-miners, backdoors and botnets
• Advanced, targeted Linux threats, including HiddenWasp
• Reasons for low Linux detection rates
• Mitigation recommendations and the importance of code reuse detection