**Linux: Hiddenwasp – Trojaner und Rootkit
Hiddenwasp ist von der Firma Intezer entdeckt worden und sie hat es veröffentlicht am 29.05.2019.
Durch das anklicken eines bestimmten Bash-Skriptes installiert Hiddenwasp sich.
Was dabei genau passiert, beschreibt Intezer in seinem Blog.
Hieran erkennne ich, ob mein System betroffen ist:
“2.3. Prevention and Response
Prevention: Block Command-and-Control IP addresses detailed in the IOCs section.
Response: We have provided a YARA rule intended to be run against in-memory artifacts in order to be able to detect these implants.
In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.
IOCs
103.206.123[.]13
103.206.122[.]245
http://103.206.123[.]13:8080/system.tar.gz
http://103.206.123[.]13:8080/configUpdate.tar.gz
http://103.206.123[.]13:8080/configUpdate-32.tar.gz “
(Zitat aus: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/ )
Eine kurze Zusammenfassung zu Hiddenwasp gibt es auf deutsch:
https://www.linux-magazin.de/news/hiddenwasp-neuer-linux-trojaner-und-rootkit/
Intezer – HiddenWasp Malware Stings Targeted Linux Systems https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
#linux #malware #trojaner #rootkit #hiddenwasp #intezer
Intezer – HiddenWasp Malware Stings Targeted Linux Systems
Intezer has discovered a new, sophisticated malware named HiddenWasp, targeting Linux systems. Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity, but rather it is a trojan purely used for targeted remote control.