We noticed that the trojan has code connections with ChinaZ’s Elknot implant in regards to some common MD5 implementation in one of the statically linked libraries it was linked with. In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from Elknot that could have been shared in Chinese hacking forums.So, how does HiddenWasp end up infecting systems running Linux? Unfortunately, the security researchers have not been able to answer that question. The malware can be found on Linux computers, and it is possible to determine how HiddenWasp can be used to run commands on the terminal, execute files and be commanded to download further malicious scripts by its remote hackers, but it isn't apparent how computers are being infected in the first place. In other words, it's quite possible that computer systems are being compromised in a variety of ways and *then* HiddenWasp is being deployed as a secondary payload by attackers. Intezer's researchers claim that security products are currently doing a poor job of detecting the HiddenWasp malware and recommend that concerned administrators block the Command & Control IP addresses listed in its the IOC section of its blog post.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.