Hiddenwasp ist von der Firma Intezer entdeckt worden und sie hat es veröffentlicht am 29.05.2019. Durch das anklicken eines bestimmten Bash-Skriptes installiert Hiddenwasp sich. Was dabei genau passiert, beschreibt Intezer in seinem Blog.
Hieran erkennne ich, ob mein System betroffen ist:
“2.3. Prevention and Response
Prevention: Block Command-and-Control IP addresses detailed in the IOCs section.
Response: We have provided a YARA rule intended to be run against in-memory artifacts in order to be able to detect these implants.
In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.
Intezer has discovered a new, sophisticated malware named HiddenWasp, targeting Linux systems. Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity, but rather it is a trojan purely used for targeted remote control.