HiddenWasp Linux Malware

Just a heads up, some backdoor malware affecting Linux.

Not sure what to make of this yet, need to investigate a bit more. Only just found it on the debian forum i was browsing.

http://forums.debian.net/viewtopic.php?f=10&t=142235

Im not a member there, just browse it.

1 Like

Thx @s7l for sharing, doesn t surprises me at all sadly.

can i be quiet?

[don@don-pc ~]$locate ld.so
/etc/ld.so.cache
/etc/ld.so.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/fakeroot.conf
/usr/lib/LLVMgold.so
/usr/lib/ADM_plugins6/videoFilters/libADM_vf_hzstackField.so
/usr/lib/ADM_plugins6/videoFilters/libADM_vf_mergeField.so
/usr/lib/ADM_plugins6/videoFilters/libADM_vf_separateField.so
/usr/lib/ADM_plugins6/videoFilters/libADM_vf_stackField.so
/usr/lib/ADM_plugins6/videoFilters/libADM_vf_unstackField.so
/usr/lib/ImageMagick-6.9.10/modules-Q16HDRI/coders/hald.so
/usr/lib/ImageMagick-7.0.8/modules-Q16HDRI/coders/hald.so
/usr/lib/bfd-plugins/LLVMgold.so
/usr/lib/gegl-0.2/threshold.so
/usr/lib/libgphoto2/2.5.18/topfield.so
/usr/lib/libgphoto2/2.5.22/topfield.so
/usr/lib/systemd/system/lvm2-lvmpolld.socket
/usr/lib/systemd/system/systemd-journald.socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket
/usr/lib/systemd/system/sysinit.target.wants/lvm2-lvmpolld.socket
/usr/share/factory/etc/ld.so.conf
/usr/share/man/man8/ld.so.8.gz
/usr/share/man/man8/systemd-journald.socket.8.gz
[don@don-pc ~]$

and need this rule, and how does it apply?
https://github.com/intezer/yara-rules/blob/master/HiddenWasp.y

1 Like

No idea Ector. I plan to do some reading up on it tommorow.

Im on Artix Openrc Arch linux for now and have below output.

/etc/ld.so.cache
/etc/ld.so.conf
/etc/ld.so.conf.d
/etc/ld.so.preload
/etc/ld.so.conf.d/fakeroot.conf
/usr/lib/LLVMgold.so
/usr/lib/bfd-plugins/LLVMgold.so
/usr/lib/qt/plugins/kf5/kiod/kssld.so
/usr/share/factory/etc/ld.so.conf
/usr/share/man/man8/ld.so.8.gz

Need to read clearly,

you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised,"

I don’t think it means - if your system has ld.so.preload your fine, or vise-versa.

Furthermore I’d like to point out that just because an exploit exists does not mean it will affect you, like all virus/trojan/*ware you would have to acquire the malicious code first by the usual suspects: malicious sites, clicking links you shouldn’t, downloading untrusted software, etc…

If you use the package manager to install your software and avoid the above, I see no reason this should affect you, it doesn’t me.

And don’t think we don’t see you over there… Deepin, XD joking.

3 Likes

you are compromised?

@ector Please read the linked post and natemaia’s post above yours carefully… we do not want to spread unwarranted panic, do we?

I had a good read of this here https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

A lot i dont understand but what i did find interesting is that for perhaps linux hidden wasp malware to work the system may have had to be compromised beforehand with other rootkits and trojans as mentioned in the blog.

I would keep an eye on it, i dont think there is need for panic yet.

I dont think so, its a newly installed artix archlinux installation as of thursday 30/05. Ive also got my daily driver with archlinux systemd which has /etc/ld.so.preload. The article says if you havent got /etc/ld.so.preload listed you “may” be compromised. Im no security expert so please dont take my word for it.

^ This.

HiddenWasp is a second-stage infection.

Use this to check if it is present:

grep -qs sftp /etc/passwd && echo 'pwned' || echo 'not pwned'

Or follow the YARA method listed by @sickpig in the linked Debian forums thread.

1 Like

@Head_on_a_Stick

This makes for some light reading. I came across this last week, seems to be a link in the chain with these types of exploits.

1 Like