HiddenWasp malware seizes control of Linux systems

January 15, 2020
hiddenwasp malware linux digital risk protection risk compliance


New found malware dubbed as HiddenWasp believed to be targeting linux ecosystem, developers of this malware deployed it to remotely control infected Linux systems. The malware is also established from key parts of code used in Mirai and Azazel rootkit. Surprisingly, HiddenWasp has a zero-detection rate in all anti malware program under Linux. 



  • This malware main goal is to take control of compromised Linux system open its backend to do remote access. 
  • Hackers appear to compromise Linux systems using other methods, and then deploy HiddenWasp as a second-stage payload, which they use to control already-infected systems remotely. 
  • HiddenWasp can interact with the local filesystem; upload, download, and run files; run terminal commands; and more. 
  • Malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong. 
  • HiddenWasp and a Chinese open-source rootkit for Linux known as Adore-ng, and even some code recycles with the Mirai IoT malware. 
  • HiddenWasp is unlike other recent Linux threats that focus on infecting internet-of-things (IoT) devices for use as part of a distributed-denial-of-service (DDoS) botnet or deploying cryptocurrency-mining malware. 
  • It was found that HiddenWasp’s infrastructure comprised of a user-mode rootkit, a trojan, and an initial deployment script. 
  • HiddenWasp had a similar structure to Linux variants of Winnti, another malware that resurfaced a few days ago. Winnti is used by Chinese state-sponsored hackers. 
  • The researchers found specific files associated with HiddenWasp on VirusTotal. One of the files contained a bash script that deploys the malware. This script once executed downloads a TAR compressed archive. It contains the three components that make-up HiddenWasp. 
  • The user-mode rootkit employed most of the code used in Azazel rootkit, as well as a similar algorithm connected with Mirai botnet. 
  • The trojan in HiddenWasp emerged in the form of statically linked ELF binary connected with stdlibc++. It also shared some code with Elknot malware, which is known to perform DDoS attacks on Linux systems. 



Organizations can toughen their defenses against Linux threats with these best practices: 

  • Patching and updating systems (or employing virtual patching). 
  • Proactively monitoring and inspecting the network for anomalous system modifications or intrusions. 
  • Employing additional security mechanisms. IP filtering, for instance can be used to prevent unauthorized IP addresses from connecting to systems, such as those used by HiddenWasp for command-and-control communication.  
  • Ensuring that repositories are verified (MD5 implementation), and disabling outdated or unnecessary components, extensions, and services 
  • Enforcing the principle of least privilege. 
About the author

Leave a Reply