Articles by "Computer Security Plus"
Showing posts with label Computer Security Plus. Show all posts
Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks



How to secure your webcam and prevent webcam hacking


Webcams can be a window for you to see the world, but they also provide criminals a view into your personal life. Here's what you can do to stop being kidnapped.

Webcams are great. They allow us to easily communicate face-to-face with family and friends, even if they are at the other end of the world. They allow journalists to interview people in far-flung corners of the world. They allow entrepreneurs in remote locations to do business with people in large cities around the world.

And so today almost all smartphones, laptops and tablets to notebook PCs, webcams have become standard devices these days. Just about every device we use has a camera.

But have you ever stopped thinking that while you are staring at your screen, someone else on the Internet may be staring at you as well?

In 2014, more than half a million Windows computers were infected with malware, allowing explicit access to users' web cameras and microphones. For reference, it is about one-sixth of the American population.

Webcam hacking is real. Webcam resolutions are getting much better these days, which means that high-quality photos and videos can be used for espionage or exploitation, so I'm here to guide you on how to secure your webcam.







National news periodically has news reports about hackers being tricked by hackers to install webcam spyware.

In 2016, taped photos of Facebook founder Mark Zuckerberg's computer covering a webcam sparked much debate about the safety of personal webcams.

Many webcams on notebook computers have indicator lights that tell you when your camera is actively capturing video. But it may also be possible (on some cameras) to disable this activity light through software hacks or modified configuration settings. So, just because you don't see an activity light does not mean that your webcam is still not capturing video.



Webcam Malware

There have been numerous instances of malware specifically designed to target webcams to allow hackers to secretly view their prey.

The best of these pieces of malware were Blackshades, a remote access Trojan (RAT) that was distributed when victims visited infected websites, opened malicious email attachments, or plugged USB drives into their PCs. This is a malware used against Wolf.

In other functionalities, Blackshades allows a person using it to take full control of an infected user's webcam. This malware infected more than half a million PCs in more than 100 countries around the world, selling for at least $ 40 on the web.

The Blackshades RAT, available for sale on the web for just $ 40, enabled anyone anywhere in the world to become a dangerous cybercriminal who would be able to steal your property and invade your privacy. However, the malware maker was arrested by the FBI.

In 2012, the Electronic Frontier Foundation and Citizen's Lab reported that black shades were being used against opposition forces in Syria, while others bought a hacking tool to get to know people, including a man from Leeds, whom in 2015 A 40-week suspended sentence was given. He used Blackshades against 14 people, 7 of whom he knew personally - using his ex-girlfriend's credit card to pay for it.



Recently Gartner reported on Delilah Malware that specifically targets enterprises and uses webcams to gather evidence from employees and their families, to blackmail them and their companies. Sensitive information can be obtained.



Webcam Streaming Sites

But hacking is not required in many cases to access the webcam. In 2014 the US and UK governments warned that there were several websites that were tracking unsafe webcams around the world.







These sites - which are not hacking anyone's systems - depend on the fact that most webcam, security camera, and IP camera manufacturers leave security settings unchanged when they are installed, and therefore can be monitored is.

The operators of these sites say they only scan for unsecured Internet-connected cameras and post snapshots taken from them on their sites.

How To Secure Webcam and Prevent Webcam Hacking-

So it is clear that there are some significant risks associated with having a webcam in your home or your workplace. Thankfully there are many steps to protect you, your family and your business.



1) The Simple Solution: Cover It Up

Sometimes the simplest solutions are the best. If you want to make sure no one is watching you through your webcam, get some electrical tape and cover it. If you don't want any tape residue on your camera,

Zuckerberg prefers a piece of black electrical tape, while Snowden is seen holding a blanket over his entire laptop to stop spies, but whichever you choose, you should always check that it is on your laptop or desktop computer The camera works by firing the app (or use the Skype test call feature) to see if you have blocked everything using the cover.

One of the problems with using a piece of tape is that should you need to use the camera at any point, the tape may leave a sticky residue on the camera's lens, although rubbing vigorously over this problem Can be solved.

If you don't want to use this solution, but want something more substantial, you can buy physical webcam covers online that come in a variety of shapes, sizes, and colors, some with a sliding door feature. Also occurs.



2) Close your laptop / Turn off your computer

If you use your webcam for Skype chat or video conferencing (or just want to check if your head hair is fine), instead of putting a cover on it, you can just make sure that Your computer is turned off when you are not using it.

Even the best hacker in the world will not be able to see if you are powering your PC down if you are turning off your laptop or if you are not using it.



3) Regularly scan your computer for webcam malware

Hackers are very good at circumventing traditional security measures such as antivirus software and generally spotting webcam focused focus malware is not something these antiviruses do well.

But this does not mean that you should do nothing.

You should use a good antimalware as a second opinion. As their name suggests, they act as a secondary malware detection and removal program, where the primary scanner of an antivirus installed on your PC fails to detect an active malware infection.

Hackers actively perform malware coding to avoid some antivirus software. So it is always a good idea to use antimalware such as Malwarebytes if you have a webcam on your PC or laptop.









4) Change the default admin and password

If you are using a standalone webcam, either with your computer or as a security camera or child monitor, then you need to make sure that you have changed the default settings before you leave the factory Was configured by the manufacturer.

These changes are made by the software that came with your camera.



5) Avoid Opening E-mail Attachments From Unknown Sources

If you get an email from someone you don't know and it has an attachment file in it, think twice before opening it because it may contain a Trojan horse malware file that installs malware related to a webcam on your computer Can do.



6) Avoid Clicking Shortened Links on Social Media Sites

One of the ways of spreading webcam-related malware is through links on social media sites. Malware developers often use services such as TinyURL and Bitly to shorten links and try the correct destination link, which is likely a malware distribution site.



7) Use a Firewall

Another perfect way to protect your webcam is by using a firewall. It is software that provides an additional layer of protection by monitoring incoming and outgoing traffic. This prevents unauthorized access to your device and filters out any traffic to be blocked.

Most firewalls will need to be manually turned on, so you should go into your device settings and make sure it is enabled.



8) Disable Your Webcam

If you are not planning to use your webcam for some time, you can always disable it. While this may not actually stop a determined hacker, it will stop most methods of gaining control, as the malware used will probably not attempt to re-enable the cam or install its drivers.

The easiest way to disable your webcam in Windows Device Manager. Use the built-in search on your desktop to find and launch it.

Device Manager lists each piece of hardware connected to your computer by category. Webcams are usually listed under Cameras, but you will also find them under categories like Imaging Devices.

When you find your camera, right-click it, and select Disable device. Windows will ask you to confirm. You may have to restart your computer for the change to take effect.




Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
Kaspersky Allowed Tracking Of Millions Of Users By Injecting Unique ID







On Thursday, a German security journalist Ronald Eikenberg reported a flaw in Kaspersky antivirus software that could have leaked data of millions of Kaspersky users.

According to his report, Kaspersky injected a unique identifier into the HTML of every website a user visited. Therefore, making it ridiculously easy for perpetrators to keep track of their victim, regardless of the browser used.

The company later confirmed that their Antivirus product doesn’t interact with TOR browser, so the same isn’t possible on TOR.


The Java Script goes something like,

 “<script type=”text/javascript” src=”https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js” charset=”UTF-8″></script>







This is a Universally Unique Identifier (UUID) which Ronald discovered on systems with Kaspersky software. The unique ID (in bold) was present on every website he visited.

The ID popped up in every popular browser such as Firefox, Chrome, Edge, and Opera. “Without exception, even on the website of my bank, a script from Kaspersky was introduced,” he writes.

After reporting the flaw, the company told that the leak was part of all the Kaspersky Antivirus Editions launched in 2016. To put it in simpler words, people using Kaspersky AV 2016 editions for the last four years were vulnerable to leak.

This includes all the consumer versions of the software for Windows (Kaspersky Internet Security, Kaspersky Total Security, and all the free versions). Kaspersky released an update back in June which fixed the flaw. The company also issued an advisory a month later.

Kaspersky later released out a statement thanking Ronald for reporting the error. They also pointed out that a hack is highly unlikely, given the “complexity and low profitability for cybercriminals.



Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
All-In-One Malware ‘Plurox’ Can Hack Your PC In Three Different Ways





Kaspersky security team has discovered a new strain of malware called Plurox, which packs a cryptominer, backdoor, and worm-like plugins, all into one.

Plurox is a cut above the regular malware. It comes with advanced capabilities that can spread the malware laterally to more systems and mine cryptocurrency using one of its eight different plugins.



This self-spreading virus has a modular structure which facilitates its multi-faceted features such as backdoor trojan and cryptominer.


Modular structure of Plurox

At its core, Plurox contains a primary component that allows Plurox bots (the infected hosts) to communicate with a command and control (C&C) server.

The Kaspersky team says that this component is crucial and the authors of Plurox use it to download and run files on the infected hosts. The downloaded files are called “plugins,” which contain most of the malware’s features.


Motive behind Plurox: Cryptomining

Eight different plugins have been found in Plurox and their sole purpose is cryptocurrency mining. These plugins are based on various hardware configurations for CPU/GPU mining. In addition to this, there’s a UPnP plugin and an SMB plugin.




By monitoring the malware’s activity, the team found two ‘subnets.’ One subnet is dedicated to receiving only mining modules and the other subnet is focused on downloading all modules that are available.

Although the purpose of having two separate communication channels is unclear, it does establish that the primary feature of both subnets is cryptocurrency mining.


Plurox inspired by NSA exploits

The SMB plugin mentioned previously is essentially a repackaged NSA exploit called EternalBlue that was publicly leaked in 2017.

The plugin allows bad actors to scan local networks and spread the malware to vulnerable workstations via the SMB protocol (running the EternalBlue exploit).

But that’s not all. UPnP is actually the sneakiest and most nasty plugin among all. It creates port forwarding rules on the local network of a compromised system and uses it to build backdoors into enterprise networks bypassing firewalls and other security measures in place.

Once again, the inspiration behind the use of the UPNP plugin came from another leaked NSA exploit called EternalSilence. However, instead of using the actual EternalSilence code, they developed their own version.



Security researchers are still trying to figure out how the Plurox crew is spreading the malware to hijack larger networks. For more information on the same, you can refer to Kaspersky’s SecureList blog.



Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks



Bird Miner This Cryptominer Malware Emulates Linux To Attack Macs





One of the biggest disadvantages of using pirated software is the increased risk of letting your computer gets infected with malware. Cybercriminals often bundle the cracked versions of paid software on piracy websites with adware and crypto miner to earn free cash. So, if you’re installing such programs from unknown sources, the chances of you getting hacked are pretty good.

The same attack vector is being used by hackers to distribute a new Mac cryptocurrency miner named Bird Miner. As Malwarebytes’ official blog explains, Bird Miner has been found to be bundled with a cracked installer of software named Ableton Live, which is a tool for high-end music production.



Malwarebytes found that Ableton Live 10’s cracked 2.6 GB installer is available on piracy website VST Crack. Security researchers from the firm became suspicious when they found that Bird Miner’s post installation script was busy copying installed files to new locations with random names.

The new files with random names seem to have various functions, including the role of launch daemons. One such daemon launches a shell script called Crax, which makes sure that the malware is hidden from the security researchers. The malware further checks to see if your Mac’s CPU is operating at more than 85 percent load to avoid running the crypto mining script in this case.


Bird Miner uses Tiny Core Linux emulation

The last piece of the puzzle is the launch of an executable named Nigel, which is an old version of an open source emulator named Qemu. For those who don’t know, Qemu is terminal-only virtualization software that lets one run Linux packages on non-Linux machines.


Bird Miner This Cryptominer Malware

The Qemu emulator further uses a file named Poaceae, which is a bootable Tiny Core Linux image. Finally, as soon as the Tiny Core system boots up, the xmrig miner starts running to mine the Monero cryptocurrency.



The Malwarebytes researchers mention that familiarity with Linux could be the reason why creators of the malware chose the Linux route. This malware further shows why using pirated software increases the chances of getting infected very easily.



Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
100 Million Dell PCs At Risk Due To Criticial Bug In ‘SupportAssist’ Software





The SupportAssist software comes pre-loaded on most Dell laptops and desktops. It’s used to check for different hardware and software issues that could arise over the course of time on Dell machines. For example, it can be used to test whether the battery is in a healthy condition or not.

Unfortunately, the innocent-looking SupportAssist could open doors for attackers who can use it to achieve privilege escalation on Dell machines running Windows 10. The vulnerability was discovered by security firm SafeBreach Labs, the firm told Fossbytes in an email.

It’s estimated that around 100 million PCs could be at risk on which the SupportAssist might be installed.

Moreover, according to the security firm, the vulnerability (CVE-2019-12280) isn’t just limited to Dell. Like Dell, many other OEMs use a re-branded version of the diagnostic tool created by the PC Doctor.

The list of other affected software includes PC-Doctor Tool For Windows, which is also re-branded as CORSAIR Diagnostics Staples EasyTech Diagnostics, etc.


What’s the problem?

PC Doctor has developed the components that allow access to hardware such as PCI, physical memory, etc. The researchers were assuming that the program must have low-level access to system components to perform its desired operations.




Thanks to the vulnerability, when they ran the program on their virtual machine, the researchers found that they could easily load a custom-made DLL file for privilege escalation. This is because the program doesn’t validate whether a DLL being loaded is digitally signed or not.

An attacker can take advantage of the vulnerability and bypass techniques such as Application Whitelisting which is used to prevent unsafe apps from being installed on the machine.


 SafeBreach researchers were able to create a proof-of-concept and were able to read/write data to the physical memory — and so can the attacker.

To prevent unsigned kernel-mode drivers from installing on the machine, Windows uses a mechanism called Driver Signature Enforcement. It crashes the system when it detects an unsigned driver being loaded.

But because of the vulnerability, the DSE has become useless. The program comes fitted with a driver that is already digitally signed and also authorized by Microsoft. So, the attacker might not need to load an unsigned driver to achieve read/write permissions.

The revelation comes after a non-disclosure policy that ends on June 19th. Dell has confirmed the existence of the bug after it was first reported back in April 2019. Further, the researchers have notified PC Doctor as well, and a security patch is expected to be released sometime in mid-June.

Dell has released security patches for the said vulnerability. It’s advised to update your machines well in time.



Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
HiddenWasp Malware





Beware the HiddenWasp in Linux!









Overview

Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems.

• The malware is still active and has a zero-detection rate in all major anti-virus systems.

• Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.

• Evidence shows in a high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control or have gone through a heavy reconnaissance.

• HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit. In addition, there are some similarities between this malware and other Chinese malware families, however, the attribution is made with low confidence.

• We have detailed our recommendations for preventing and responding to this threat.



1. Introduction

Although the Linux threat ecosystem is crowded with IoT DDoS botnets and crypto-mining malware, it is not very common to spot trojans or backdoors in the wild.

Unlike Windows malware, Linux malware authors do not seem to invest too much effort writing their implants. In an open-source ecosystem, there is a high ratio of publicly available code that can be copied and adapted by attackers.

In addition, Anti-Virus solutions for Linux tend to not be as resilient as in other platforms. Therefore, threat actors targeting Linux systems are less concerned about implementing excessive evasion techniques since even when reusing extensive amounts of code, threats can relatively manage to stay under the radar.

Nevertheless, malware with strong evasion techniques does exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilizes strong evasion techniques and can be easily adapted by attackers.

We believe this fact is alarming for the security community since many implants today have very low detection rates, making these threats difficult to detect and respond to.

We have discovered further undetected Linux malware that appears to be enforcing advanced evasion techniques with the use of rootkits to leverage trojan-based implants.

In this blog, we will present a technical analysis of each of the different components that this new malware, HiddenWasp, is composed of. We will also highlight interesting code-reuse connections that we have observed to several open-source malware.

The following images are screenshots from VirusTotal of the newer undetected malware samples discovered:


HiddenWasp


2. Technical Analysis


When we came across these samples we noticed that the majority of their code was unique:
hidden virus

Similar to the recent Winnti Linux variants reported by Chronicle, the infrastructure of this malware is composed of a user-mode rootkit, a trojan and an initial deployment script. We will cover each of the three components in this post, analyzing them and their interactions with one another.



2.1 Initial Deployment Script:


When we spotted these undetected files in VirusTotal it seemed that among the uploaded artifacts there was a bash script along with a trojan implant binary.


linux hidden

We observed that these files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd.


Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong.



hidden

Among the uploaded files, we observed that one of the files was a bash script meant to deploy the malware itself into a given compromised system, although it appears to be for testing purposes:




Thanks to this file we were able to download further artifacts not present in VirusTotal related to this campaign. This script will start by defining a set of variables that would be used throughout the script.


Among these variables we can spot the credentials of a user named ‘sftp’, including its hardcoded password. This user seems to be created as a means to provide initial persistence to the compromised system:


Furthermore, after the system’s user account has been created, the script proceeds to clean the system as a means to update older variants if the system was already compromised:


The script will then proceed to download a tar compressed archive from a download server according to the architecture of the compromised system. This tarball will contain all of the components from the malware, containing the rootkit, the trojan and an initial deployment script:


After malware components have been installed, the script will then proceed to execute the trojan:



We can see that the main trojan binary is executed, the rootkit is added to LD_PRELOAD path and another series of environment variables are set such as the ‘I_AM_HIDDEN’. We will cover throughout this post what the role of this environment variable is. To finalize, the script attempts to install reboot persistence for the trojan binary by adding it to /etc/rc.local.


Within this script we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit and a deployment script for x86 and x86_64 builds accordingly.


The deployment script has interesting insights of further features that the malware implements, such as the introduction of a new environment variable ‘HIDE_THIS_SHELL’:


We found some of the environment variables used in a open-source rootkit known as Azazel.


It seems that this actor changed the default environment variable from Azazel, that one being HIDE_THIS_SHELL for I_AM_HIDDEN. We have based this conclusion on the fact that the environment variable HIDE_THIS_SHELL was not used throughout the rest of the components of the malware and it seems to be residual remains from Azazel original code.

The majority of the code from the rootkit implants involved in this malware infrastructure are noticeably different from the original Azazel project. Winnti Linux variants are also known to have reused code from this open-source project.


Within this function, we can see that eventually, control flow falls into a function in charge to resolve a set of dynamic imports, which are the functions it will later hook, alongside with decoding a series of strings needed for the rootkit operations.



We can see that for each string it allocates a new dynamic buffer, it copies the string to it to then decode it.

It seems that the implementation for dynamic import resolution slightly varies in comparison to the one used in Azazel rootkit.

When we wrote the script to simulate the cipher that implements the string decoding function we observed the following algorithm:


We recognized that a similar algorithm to the one above was used in the past by Mirai, implying that authors behind this rootkit may have ported and modified some code from Mirai.



After the rootkit main object has been loaded into the address space of a given process and has decrypted its strings, it will export the functions that are intended to be hooked. We can see these exports to be the following:


For every given export, the rootkit will hook and implement a specific operation accordingly, although they all have a similar layout. Before the original hooked function is called, it is checked whether the environment variable ‘I_AM_HIDDEN’ is set:


We can see an example of how the rootkit hooks the function fopen in the following screenshot:


We have observed that after checking whether the ‘I_AM_HIDDEN’ environment variable is set, it then runs a function to hide all the rootkits’ and trojans’ artifacts. In addition, specifically to the fopen function it will also check whether the file to open is ‘/proc/net/tcp’ and if it is it will attempt to hide the malware’s connection to the cnc by scanning every entry for the destination or source ports used to communicate with the cnc, in this case 61061. This is also the default port in Azazel rootkit.


The rootkit primarily implements artifact hiding mechanisms as well as tcp connection hiding as previously mentioned. Overall functionality of the rootkit can be illustrated in the following diagram:


2.3 The Trojan:

The trojan comes in the form of a statically linked ELF binary linked with stdlibc++. We noticed that the trojan has code connections with ChinaZ’s Elknot implant in regards to some common MD5 implementation in one of the statically linked libraries it was linked with:


In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from Elknot that could have been shared in Chinese hacking forums:


When we analyze the main we noticed that the first action the trojan takes is to retrieve its configuration:


The malware configuration is appended at the end of the file and has the following structure:


The malware will try to load itself from the disk and parse this blob to then retrieve the static encrypted configuration.


Once encryption configuration has been successfully retrieved the configuration will be decoded and then parsed as json.

The cipher used to encode and decode the configuration is the following:


This cipher seems to be an RC4 alike algorithm with an already computed PRGA generated key-stream. It is important to note that this same cipher is used later on in the network communication protocol between trojan clients and their CNCs.

After the configuration is decoded the following json will be retrieved:


Moreover, if the file is running as root, the malware will attempt to change the default location of the dynamic linker’s LD_PRELOAD path. This location is usually at /etc/ld.so.preload, however there is always a possibility to patch the dynamic linker binary to change this path:


The patch_ld function will scan for any existent /lib paths. The scanned paths are the following:


The malware will attempt to find the dynamic linker binary within these paths. The dynamic linker filename is usually prefixed with ld-<version number>.


Once the dynamic linker is located, the malware will find the offset where the /etc/ld.so.preload string is located within the binary and will overwrite it with the path of the new target preload path, that one being /sbin/.ifup-local.


To achieve this patching it will execute the following formatted string by using the xxd hex editor utility by previously having encoded the path of the rootkit in hex:


Once it has changed the default LD_PRELOAD path from the dynamic linker it will deploy a thread to enforce that the rootkit is successfully installed using the new LD_PRELOAD path. In addition, the trojan will communicate with the rootkit via the environment variable ‘I_AM_HIDDEN’ to serialize the trojan’s session for the rootkit to apply evasion mechanisms on any other sessions.


After seeing the rootkit’s functionality, we can understand that the rootkit and trojan work together in order to help each other to remain persistent in the system, having the rootkit attempting to hide the trojan and the trojan enforcing the rootkit to remain operational. The following diagram illustrates this relationship:


Continuing with the execution flow of the trojan, a series of functions are executed to enforce evasion of some artifacts:


These artifacts are the following:


By performing some OSINT regarding these artifact names, we found that they belong to a Chinese open-source rootkit for Linux known as Adore-ng hosted in GitHub:


The fact that these artifacts are being searched for suggests that potentially targeted Linux systems by these implants may have already been compromised with some variant of this open-source rootkit as an additional artifact in this malware’s infrastructure. Although those paths are being searched for in order to hide their presence in the system, it is important to note that none of the analyzed artifacts related to this malware are installed in such paths.

This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign.


With the help of this function we where able to understand the structure of the communication protocol employed. We can illustrate the structure of this communication protocol by looking at a pcap of the initial handshake between the server and client:


We noticed while analyzing this protocol that the Reserved and Method fields are always constant, those being 0 and 1 accordingly. The cipher table offset represents the offset in the hardcoded key-stream that the encrypted payload was encoded with. The following is the fixed keystream this field makes reference to:



After decrypting the traffic and analyzing some of the network related functions of the trojan, we noticed that the communication protocol is also implemented in json format. To show this, the following image is the decrypted handshake packets between the CNC and the trojan:


After the handshake is completed, the trojan will proceed to handle CNC requests:


Depending on the given requests the malware will perform different operations accordingly. An overview of the trojan’s functionalities performed by request handling are shown below:


2.3. Prevention and Response

Prevention: Block Command-and-Control IP addresses detailed in the IOCs section.

Response: We have provided a YARA rule intended to be run against in-memory artifacts in order to be able to detect these implants.

In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.



4. Summary

We analyzed every component of HiddenWasp explaining how the rootkit and trojan implants work in parallel with each other in order to enforce persistence in the system.

We have also covered how the different components of HiddenWasp have adapted pieces of code from various open-source projects. Nevertheless, these implants managed to remain undetected.

Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.

Linux malware will continue to become more complex over time and currently even common threats do not have high detection rates, while more sophisticated threats have even lower visibility.        



IOCs


103.206.123[.]13
103.206.122[.]245
http://103.206.123[.]13:8080/system.tar.gz
http://103.206.123[.]13:8080/configUpdate.tar.gz
http://103.206.123[.]13:8080/configUpdate-32.tar.gz
e9e2e84ed423bfc8e82eb434cede5c9568ab44e7af410a85e5d5eb24b1e622e3
f321685342fa373c33eb9479176a086a1c56c90a1826a0aef3450809ffc01e5d
d66bbbccd19587e67632585d0ac944e34e4d5fa2b9f3bb3f900f517c7bbf518b
0fe1248ecab199bee383cef69f2de77d33b269ad1664127b366a4e745b1199c8
2ea291aeb0905c31716fe5e39ff111724a3c461e3029830d2bfa77c1b3656fc0
d596acc70426a16760a2b2cc78ca2cc65c5a23bb79316627c0b2e16489bf86c0
609bbf4ccc2cb0fcbe0d5891eea7d97a05a0b29431c468bf3badd83fc4414578
8e3b92e49447a67ed32b3afadbc24c51975ff22acbd0cf8090b078c0a4a7b53d
f38ab11c28e944536e00ca14954df5f4d08c1222811fef49baded5009bbbc9a2
8914fd1cfade5059e626be90f18972ec963bbed75101c7fbf4a88a6da2bc671b