What is HiddenWasp and can Red Hat Enterprise Linux be affected ?
Environment
Any Linux Server and Desktop Environments
Issue
HiddenWasp, originally discovered by security researchers at Intezer, is a Linux malware that allows persistent remote access by an attacker. The malware it not known to exploit any security vulnerability, rather it is installed on a compromised host in order to get a foothold on the system where an attacker previously gained root-level access via some other attack vector.
Example of attack vectors :
- Victim being tricked into executing a malicious script/command
- Unpatched vulnerability allowing for remote code execution
- Weak or compromised user authentication credentials
Once the deployment code is running, it will download the HiddenWasp malware and attempt to make it persistent.
The malware consists of 3 parts:
- An initial deployment script used to download and install malware on the target system.
- A trojan - an executable that connects to a remote Command & Control server and receive instructions on what actions to execute on the target system.
- A user-space rootkit, using LD_PRELOAD mechanisms to hide malware from detection and ensure its activation after system restart.
Additional details can be found in the original Intezer article.
Resolution
Use measures to prevent initial system compromise (such as timely deployment of security updates, limit access to the system, use strong authentication). The use of antivirus scanner may help detect the presence of malware on systems.
Compromised systems should be reinstalled, erasing all prior content, with data restored from a known clean backup.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments