Spiria logo.

Linux malware flew under the radar

May 30, 2019.

European Hornet (Vespa crabro).

Frelon européen (Vespa crabro). © iStock.

Researchers have discovered a sophisticated piece of Linux malware that has escaped detection by all 59 commercially-available AV products and that appears to be actively used in targeted attacks. Dubbed HiddenWasp, it is a complete suite of malware, including a Trojan Horse, a rootkit and an initial deployment script. While it is not yet known how machines get swarmed in the first place, we do know that the goal is to remotely control the victim, with the ability to download and execute code, upload files and perform a variety of other commands. That’s different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies. Some of the code appears to be borrowed from the infamous Mirai botnet. To tell if your system is infected, check your ld.so files. If they don’t contain the string /etc/ld.so.preload, you’ve been stung.

Intezer, “HiddenWasp malware stings targeted Linux systems.”

Ars Technica, “Advanced Linux backdoor found in the wild escaped AV detection.”