Articles by "security"
Showing posts with label security. Show all posts
Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
There are 11 misconceptions about hacking that we need to know.

1. Although the word hacking is associated with "unauthorized access", its true meaning is not bad at all. The hack is just computer-related but we can use the word on almost anything in the world. Such as food hacks, dress hacks, lifestyle hacks. Hacking means removing a weak part of a topic or improving it to better understand a topic or make it easier. It can also be used to do so.

2. Hacking is a skill-based topic. You can never explore it unless you have a good knowledge of computers. Although many books or video lessons claim that they can be hackers by taking these lessons, that is a lot wrong. To understand how all these techniques work, you need to know what is and what is in it.

3. Hacking words sounds very bad. It seems these criminals do. But this is wrong. Hacking is the subject of a computer that can be researched as it is read. In large companies, there are a lot of hackers. They help keep the company system active and protect it from other hackers.

4. Hacker doesn't mean anything bad. Hackers are basically divided into two. A black hat is known as Criminal Hacker. They do all kinds of harmful and nasty things. Another White Hat hacker. They are known as Ethical Hackers. Different companies put themselves in charge of their system security. No one else can harm their system.

5. There is no software in the world that can hack a social account direct. Many of your software on the Internet that claims that you can access the account without giving some useful information. It is absolutely wrong. This software contains malware. When you install this software. Then that malware will infiltrate into your PC without your knowledge. This means that if you hack someone's account, your account can be hacked. So stay away from all these.

6. Hollywood movie hacker. Many people who have seen Hollywood hacking movies think hacking is really that way. It's totally wrong. Hacking is a time-consuming and skill dependent job. So the process of showing a movie is wrong in many respects and which is incompatible with reality. They are done with 3D graphics and visual effects. It cannot be done so quickly and easily.

7. Can't access Facebook or other social account or blocked account for any reason. Many people think their account has been hacked. They also post that their account has been hacked. But what exactly is it? Most often it is seen that strangers are blocked by posting a friend request or some obscene account for a few days. It may be difficult to access the account even if it is not opened. There is nothing to say that the account has been hacked.

8. To learn computer hacks, you need to first become proficient in computer matters. I need to know how computers work, ideas about networking, programming languages ​​and web development.

9. A hacker is used in the field of computing for anyone who is very skilled at the computer and who can exploit system or machine vulnerability to develop access or system security.

10. Hacked is not an illegal act. Those who are called Ethical Hackers for developing system security or protecting the system from other hackers. But if you hack into something unintentional or harmful, it's called a non-ethical hacker.

11. "Hacking can never be learned through mobile. Remember that you need a computer to work"

Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
That is how WhatsApp is hacked

People in the cyber world use specialized software to monitor WhatsApp. One such software is called Pegasus. WhatsApp can be monitored using software developed by the NSO group in Israel. Over two dozen academics, lawyers, journalists, and politicians have been monitored using Pegasus software in the last Lok Sabha elections in India. WhatsApp authorities have confirmed the matter.

According to some Indian media, Israeli software was used to monitor WhatsApp information before the last election. NSO Group has developed Pegasus software for cyber espionage or surveillance. However, it is not known exactly how many people are being monitored with this software. WhatsApp notifies users of surveillance on their device.

WhatsApp was contacted by the Times of India but did not give any formal statement on the issue.

Facebook-owned WhatsApp sued the Israeli company in the United States. WhatsApp surveillance information was reported the next day. In the lawsuit, WhatsApp alleges that the Israeli company monitored 7,000 people around the world using Pegasus spyware.

The lawsuit alleges that Facebook seized information about smartphones operating on iOS, Android and Blackberry operating systems with Pegasus software. WhatsApp VoIP stack error code can be deployed remotely on the device.

Pegasus is software developed by NSO Group in Israel

According to a BBC Online report, Fustin Rukundu, who was recently deported to Leeds, England from Rwanda, complained about his WhatsApp hacked. He said he got a call from WhatsApp from a stranger. When he grabs the call, it is left without anyone to speak. Unbeknownst to him, his phone gets hacked and he removes the files. Missed calls started coming from strangers on her phone. He bought a new phone for fear of family safety. A few days later, there were calls from strangers.

Fostin alleges that many other anti-Rwandan governments have received calls from strangers

He got to know. Last May, he learned that WhatsApp had been hacked.

In May this year, WhatsApp admitted to having errors. In August, WhatsApp errors also came up. At that time, the BBC said, what you said or did not write on WhatsApp could show. If wanted, the rogue can change the WhatsApp message using special programs. The WhatsApp platform has recently opened a tool for changing user messages. Experts say that Facebook-owned WhatsApp has a fatal flaw that can be used to change a user's words or words.

Researchers at Checkpoint, a cybersecurity firm, claim that they learned about WhatsApp errors as well as tools or programs for replacing messages sent to WhatsApp. WhatsApp error can be used to spread fake news or cheat.

How does Pegasus come to WhatsApp?

 Experts say that Pegasus can be downloaded even with a little video missed call on WhatsApp. Pegasus installed after the video call can take full control of the entire smartphone, including its contact list. Everything happens without the user being aware of it. From this messaging app, cyber experts can find out information including video calls, messages, and messages.

NSO Group claims that they sell their software only to various government agencies. However, the software is not created or endorsed to monitor human rights activists or journalists.

Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
Notorious GandCrab Ransomware Returns With A New Name |  GandCrab Ransomware

GandCrab was one of the most popular ransomware families in 2018 and 2019. The ransomware encrypted all the files on the target computer and demanded as much as $2,000 in Bitcoin or Dash for the decryption key. The authors behind GandCrab malware announced in June that they are scrapping the operations of the malware as they have made enough money from it. According to the authors, they earned $2 billion from ransomware payments.

Now, the security researchers at Secureworks Counter Threat Unit have spotted new ransomware that shares the same code as GandCrab and it is seen as an evolved version of Gandcrab.

REvil, which is also known as Sodinokibi, has been linked to GandCrab malware.

Speaking to ZDNet, a security researcher said, “It certainly shares some code overlap with GandCrab and there are even artifacts in there which suggest that it was intended to be an evolution of GandCrab and they decided that GandCrab was ripe for a rebrand and relaunch.”

Why are researchers linking REvil to GandCrab?

Researchers have come up with the following reasons why they believe that GandCrab is resurfacing again in the form of REvil:

String decoding functions of REvil and GandCrab share similarities.
The two ransomware also share the URL binding functionality which produces similar URL patters for control servers and commands
Terms like ‘gcfin’ and ‘gc6’ in the code of REvil suggests a relation between GandCrab and REvil. Researchers believe that ‘gcfin’ stands for ‘GandCrab Final’ and ‘gc6’ denotes GandCrab 6.
Both REvil and GandCrab have whitelisted certain keyboard layouts as a measure to not infect Russian-based hosts.
Despite the similarities in the code, there are some differences as well which suggests that REvil could be the work of another bad actor who might be trying to imitate GandCrab.

While the operators of GandCrab often displayed an amicable relation with security researchers by often mentioning the researchers’ names in their command and control domains, actors behind REvil have a strict business approach.

REvil could be on its way to becoming of the most high profile ransomware. We recommend that users keep their system updated as and when updates arrive to safeguard themselves against cyber attacks.
Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks

How to secure your webcam and prevent webcam hacking

Webcams can be a window for you to see the world, but they also provide criminals a view into your personal life. Here's what you can do to stop being kidnapped.

Webcams are great. They allow us to easily communicate face-to-face with family and friends, even if they are at the other end of the world. They allow journalists to interview people in far-flung corners of the world. They allow entrepreneurs in remote locations to do business with people in large cities around the world.

And so today almost all smartphones, laptops and tablets to notebook PCs, webcams have become standard devices these days. Just about every device we use has a camera.

But have you ever stopped thinking that while you are staring at your screen, someone else on the Internet may be staring at you as well?

In 2014, more than half a million Windows computers were infected with malware, allowing explicit access to users' web cameras and microphones. For reference, it is about one-sixth of the American population.

Webcam hacking is real. Webcam resolutions are getting much better these days, which means that high-quality photos and videos can be used for espionage or exploitation, so I'm here to guide you on how to secure your webcam.

National news periodically has news reports about hackers being tricked by hackers to install webcam spyware.

In 2016, taped photos of Facebook founder Mark Zuckerberg's computer covering a webcam sparked much debate about the safety of personal webcams.

Many webcams on notebook computers have indicator lights that tell you when your camera is actively capturing video. But it may also be possible (on some cameras) to disable this activity light through software hacks or modified configuration settings. So, just because you don't see an activity light does not mean that your webcam is still not capturing video.

Webcam Malware

There have been numerous instances of malware specifically designed to target webcams to allow hackers to secretly view their prey.

The best of these pieces of malware were Blackshades, a remote access Trojan (RAT) that was distributed when victims visited infected websites, opened malicious email attachments, or plugged USB drives into their PCs. This is a malware used against Wolf.

In other functionalities, Blackshades allows a person using it to take full control of an infected user's webcam. This malware infected more than half a million PCs in more than 100 countries around the world, selling for at least $ 40 on the web.

The Blackshades RAT, available for sale on the web for just $ 40, enabled anyone anywhere in the world to become a dangerous cybercriminal who would be able to steal your property and invade your privacy. However, the malware maker was arrested by the FBI.

In 2012, the Electronic Frontier Foundation and Citizen's Lab reported that black shades were being used against opposition forces in Syria, while others bought a hacking tool to get to know people, including a man from Leeds, whom in 2015 A 40-week suspended sentence was given. He used Blackshades against 14 people, 7 of whom he knew personally - using his ex-girlfriend's credit card to pay for it.

Recently Gartner reported on Delilah Malware that specifically targets enterprises and uses webcams to gather evidence from employees and their families, to blackmail them and their companies. Sensitive information can be obtained.

Webcam Streaming Sites

But hacking is not required in many cases to access the webcam. In 2014 the US and UK governments warned that there were several websites that were tracking unsafe webcams around the world.

These sites - which are not hacking anyone's systems - depend on the fact that most webcam, security camera, and IP camera manufacturers leave security settings unchanged when they are installed, and therefore can be monitored is.

The operators of these sites say they only scan for unsecured Internet-connected cameras and post snapshots taken from them on their sites.

How To Secure Webcam and Prevent Webcam Hacking-

So it is clear that there are some significant risks associated with having a webcam in your home or your workplace. Thankfully there are many steps to protect you, your family and your business.

1) The Simple Solution: Cover It Up

Sometimes the simplest solutions are the best. If you want to make sure no one is watching you through your webcam, get some electrical tape and cover it. If you don't want any tape residue on your camera,

Zuckerberg prefers a piece of black electrical tape, while Snowden is seen holding a blanket over his entire laptop to stop spies, but whichever you choose, you should always check that it is on your laptop or desktop computer The camera works by firing the app (or use the Skype test call feature) to see if you have blocked everything using the cover.

One of the problems with using a piece of tape is that should you need to use the camera at any point, the tape may leave a sticky residue on the camera's lens, although rubbing vigorously over this problem Can be solved.

If you don't want to use this solution, but want something more substantial, you can buy physical webcam covers online that come in a variety of shapes, sizes, and colors, some with a sliding door feature. Also occurs.

2) Close your laptop / Turn off your computer

If you use your webcam for Skype chat or video conferencing (or just want to check if your head hair is fine), instead of putting a cover on it, you can just make sure that Your computer is turned off when you are not using it.

Even the best hacker in the world will not be able to see if you are powering your PC down if you are turning off your laptop or if you are not using it.

3) Regularly scan your computer for webcam malware

Hackers are very good at circumventing traditional security measures such as antivirus software and generally spotting webcam focused focus malware is not something these antiviruses do well.

But this does not mean that you should do nothing.

You should use a good antimalware as a second opinion. As their name suggests, they act as a secondary malware detection and removal program, where the primary scanner of an antivirus installed on your PC fails to detect an active malware infection.

Hackers actively perform malware coding to avoid some antivirus software. So it is always a good idea to use antimalware such as Malwarebytes if you have a webcam on your PC or laptop.

4) Change the default admin and password

If you are using a standalone webcam, either with your computer or as a security camera or child monitor, then you need to make sure that you have changed the default settings before you leave the factory Was configured by the manufacturer.

These changes are made by the software that came with your camera.

5) Avoid Opening E-mail Attachments From Unknown Sources

If you get an email from someone you don't know and it has an attachment file in it, think twice before opening it because it may contain a Trojan horse malware file that installs malware related to a webcam on your computer Can do.

6) Avoid Clicking Shortened Links on Social Media Sites

One of the ways of spreading webcam-related malware is through links on social media sites. Malware developers often use services such as TinyURL and Bitly to shorten links and try the correct destination link, which is likely a malware distribution site.

7) Use a Firewall

Another perfect way to protect your webcam is by using a firewall. It is software that provides an additional layer of protection by monitoring incoming and outgoing traffic. This prevents unauthorized access to your device and filters out any traffic to be blocked.

Most firewalls will need to be manually turned on, so you should go into your device settings and make sure it is enabled.

8) Disable Your Webcam

If you are not planning to use your webcam for some time, you can always disable it. While this may not actually stop a determined hacker, it will stop most methods of gaining control, as the malware used will probably not attempt to re-enable the cam or install its drivers.

The easiest way to disable your webcam in Windows Device Manager. Use the built-in search on your desktop to find and launch it.

Device Manager lists each piece of hardware connected to your computer by category. Webcams are usually listed under Cameras, but you will also find them under categories like Imaging Devices.

When you find your camera, right-click it, and select Disable device. Windows will ask you to confirm. You may have to restart your computer for the change to take effect.

Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
Facebook Listened To Your Voice Messages Without Permission

Mark Zuckerberg-owned Facebook is the newest addition to the list of tech companies who try to invade our privacy and listen to private conversations. The company hired external contractors to listen to our conversations.

Facebook Has Access to Voice Chats

According to a report by Bloomberg, Facebook paid contractors to transcribe users’ voice chats from its services, specifically Facebook Messenger. The voice chats included various conversations between users that were even ‘vulgar’ in nature, meaning a lot of sensitive content was accessed by the company.

People close to the matter have suggested that those who were listening to the audio clips weren’t allowed to know why they were doing so.

Among the various contractors hired to do the job, TaskUs Inc. is one; it has suggested that Facebook never told them the whereabouts of the voice clips, due to which TaskUs’s employees felt they were involved in something unethical.

Facebook Admits 

Facebook has admitted that it hired people to transcribe users’ voice chats to ensure that its AI can understand the messages. However, it stopped doing so a week back, after various other tech companies were found accessing users’ conversations.

Although Facebook has halted its practice of listening to users’ chats, it didn’t tell users that it would access their conversations (at least directly!). Facebook mentions in its data-use policy that it can collect user data, but doesn’t specifically mention voice clips.

A New Member

Facebook is obviously not the only tech company that got hold of user conversations for its own advantage. Quite recently, Apple’s Siri was found recording users’ conversations (even sex chats) to further train the virtual assistant; Amazon’s Alexa and Google Assistant are also part of the list.

Following the revelations, Apple and Google stopped the practice, while Amazon has provided users with the option to opt-out of the process.

My Take

While companies claim to access users’ private conversations just for the sake of analyzing and improving their services, it’s clearly a case of privacy invasion and it’s high time companies stop doing this in the name of enhancing its services for us.

Companies can follow other methods of doing so — may be customized sample audio clips could work in this scenario instead of using actual conversations. I hope these companies take note and avoid trouble for themselves, especially Facebook, which just got fined by the FTC.

Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
Kaspersky Allowed Tracking Of Millions Of Users By Injecting Unique ID

On Thursday, a German security journalist Ronald Eikenberg reported a flaw in Kaspersky antivirus software that could have leaked data of millions of Kaspersky users.

According to his report, Kaspersky injected a unique identifier into the HTML of every website a user visited. Therefore, making it ridiculously easy for perpetrators to keep track of their victim, regardless of the browser used.

The company later confirmed that their Antivirus product doesn’t interact with TOR browser, so the same isn’t possible on TOR.

The Java Script goes something like,

 “<script type=”text/javascript” src=”” charset=”UTF-8″></script>

This is a Universally Unique Identifier (UUID) which Ronald discovered on systems with Kaspersky software. The unique ID (in bold) was present on every website he visited.

The ID popped up in every popular browser such as Firefox, Chrome, Edge, and Opera. “Without exception, even on the website of my bank, a script from Kaspersky was introduced,” he writes.

After reporting the flaw, the company told that the leak was part of all the Kaspersky Antivirus Editions launched in 2016. To put it in simpler words, people using Kaspersky AV 2016 editions for the last four years were vulnerable to leak.

This includes all the consumer versions of the software for Windows (Kaspersky Internet Security, Kaspersky Total Security, and all the free versions). Kaspersky released an update back in June which fixed the flaw. The company also issued an advisory a month later.

Kaspersky later released out a statement thanking Ronald for reporting the error. They also pointed out that a hack is highly unlikely, given the “complexity and low profitability for cybercriminals.

Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
All-In-One Malware ‘Plurox’ Can Hack Your PC In Three Different Ways

Kaspersky security team has discovered a new strain of malware called Plurox, which packs a cryptominer, backdoor, and worm-like plugins, all into one.

Plurox is a cut above the regular malware. It comes with advanced capabilities that can spread the malware laterally to more systems and mine cryptocurrency using one of its eight different plugins.

This self-spreading virus has a modular structure which facilitates its multi-faceted features such as backdoor trojan and cryptominer.

Modular structure of Plurox

At its core, Plurox contains a primary component that allows Plurox bots (the infected hosts) to communicate with a command and control (C&C) server.

The Kaspersky team says that this component is crucial and the authors of Plurox use it to download and run files on the infected hosts. The downloaded files are called “plugins,” which contain most of the malware’s features.

Motive behind Plurox: Cryptomining

Eight different plugins have been found in Plurox and their sole purpose is cryptocurrency mining. These plugins are based on various hardware configurations for CPU/GPU mining. In addition to this, there’s a UPnP plugin and an SMB plugin.

By monitoring the malware’s activity, the team found two ‘subnets.’ One subnet is dedicated to receiving only mining modules and the other subnet is focused on downloading all modules that are available.

Although the purpose of having two separate communication channels is unclear, it does establish that the primary feature of both subnets is cryptocurrency mining.

Plurox inspired by NSA exploits

The SMB plugin mentioned previously is essentially a repackaged NSA exploit called EternalBlue that was publicly leaked in 2017.

The plugin allows bad actors to scan local networks and spread the malware to vulnerable workstations via the SMB protocol (running the EternalBlue exploit).

But that’s not all. UPnP is actually the sneakiest and most nasty plugin among all. It creates port forwarding rules on the local network of a compromised system and uses it to build backdoors into enterprise networks bypassing firewalls and other security measures in place.

Once again, the inspiration behind the use of the UPNP plugin came from another leaked NSA exploit called EternalSilence. However, instead of using the actual EternalSilence code, they developed their own version.

Security researchers are still trying to figure out how the Plurox crew is spreading the malware to hijack larger networks. For more information on the same, you can refer to Kaspersky’s SecureList blog.

Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks

Bird Miner This Cryptominer Malware Emulates Linux To Attack Macs

One of the biggest disadvantages of using pirated software is the increased risk of letting your computer gets infected with malware. Cybercriminals often bundle the cracked versions of paid software on piracy websites with adware and crypto miner to earn free cash. So, if you’re installing such programs from unknown sources, the chances of you getting hacked are pretty good.

The same attack vector is being used by hackers to distribute a new Mac cryptocurrency miner named Bird Miner. As Malwarebytes’ official blog explains, Bird Miner has been found to be bundled with a cracked installer of software named Ableton Live, which is a tool for high-end music production.

Malwarebytes found that Ableton Live 10’s cracked 2.6 GB installer is available on piracy website VST Crack. Security researchers from the firm became suspicious when they found that Bird Miner’s post installation script was busy copying installed files to new locations with random names.

The new files with random names seem to have various functions, including the role of launch daemons. One such daemon launches a shell script called Crax, which makes sure that the malware is hidden from the security researchers. The malware further checks to see if your Mac’s CPU is operating at more than 85 percent load to avoid running the crypto mining script in this case.

Bird Miner uses Tiny Core Linux emulation

The last piece of the puzzle is the launch of an executable named Nigel, which is an old version of an open source emulator named Qemu. For those who don’t know, Qemu is terminal-only virtualization software that lets one run Linux packages on non-Linux machines.

Bird Miner This Cryptominer Malware

The Qemu emulator further uses a file named Poaceae, which is a bootable Tiny Core Linux image. Finally, as soon as the Tiny Core system boots up, the xmrig miner starts running to mine the Monero cryptocurrency.

The Malwarebytes researchers mention that familiarity with Linux could be the reason why creators of the malware chose the Linux route. This malware further shows why using pirated software increases the chances of getting infected very easily.

Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
100 Million Dell PCs At Risk Due To Criticial Bug In ‘SupportAssist’ Software

The SupportAssist software comes pre-loaded on most Dell laptops and desktops. It’s used to check for different hardware and software issues that could arise over the course of time on Dell machines. For example, it can be used to test whether the battery is in a healthy condition or not.

Unfortunately, the innocent-looking SupportAssist could open doors for attackers who can use it to achieve privilege escalation on Dell machines running Windows 10. The vulnerability was discovered by security firm SafeBreach Labs, the firm told Fossbytes in an email.

It’s estimated that around 100 million PCs could be at risk on which the SupportAssist might be installed.

Moreover, according to the security firm, the vulnerability (CVE-2019-12280) isn’t just limited to Dell. Like Dell, many other OEMs use a re-branded version of the diagnostic tool created by the PC Doctor.

The list of other affected software includes PC-Doctor Tool For Windows, which is also re-branded as CORSAIR Diagnostics Staples EasyTech Diagnostics, etc.

What’s the problem?

PC Doctor has developed the components that allow access to hardware such as PCI, physical memory, etc. The researchers were assuming that the program must have low-level access to system components to perform its desired operations.

Thanks to the vulnerability, when they ran the program on their virtual machine, the researchers found that they could easily load a custom-made DLL file for privilege escalation. This is because the program doesn’t validate whether a DLL being loaded is digitally signed or not.

An attacker can take advantage of the vulnerability and bypass techniques such as Application Whitelisting which is used to prevent unsafe apps from being installed on the machine.

 SafeBreach researchers were able to create a proof-of-concept and were able to read/write data to the physical memory — and so can the attacker.

To prevent unsigned kernel-mode drivers from installing on the machine, Windows uses a mechanism called Driver Signature Enforcement. It crashes the system when it detects an unsigned driver being loaded.

But because of the vulnerability, the DSE has become useless. The program comes fitted with a driver that is already digitally signed and also authorized by Microsoft. So, the attacker might not need to load an unsigned driver to achieve read/write permissions.

The revelation comes after a non-disclosure policy that ends on June 19th. Dell has confirmed the existence of the bug after it was first reported back in April 2019. Further, the researchers have notified PC Doctor as well, and a security patch is expected to be released sometime in mid-June.

Dell has released security patches for the said vulnerability. It’s advised to update your machines well in time.

Tectuner is a Technology Releated website. Tectuner is a about the science,technology.Blogger template, Android, computer, Online Earning, tips tricks
HiddenWasp Malware

Beware the HiddenWasp in Linux!


Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems.

• The malware is still active and has a zero-detection rate in all major anti-virus systems.

• Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.

• Evidence shows in a high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control or have gone through a heavy reconnaissance.

• HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit. In addition, there are some similarities between this malware and other Chinese malware families, however, the attribution is made with low confidence.

• We have detailed our recommendations for preventing and responding to this threat.

1. Introduction

Although the Linux threat ecosystem is crowded with IoT DDoS botnets and crypto-mining malware, it is not very common to spot trojans or backdoors in the wild.

Unlike Windows malware, Linux malware authors do not seem to invest too much effort writing their implants. In an open-source ecosystem, there is a high ratio of publicly available code that can be copied and adapted by attackers.

In addition, Anti-Virus solutions for Linux tend to not be as resilient as in other platforms. Therefore, threat actors targeting Linux systems are less concerned about implementing excessive evasion techniques since even when reusing extensive amounts of code, threats can relatively manage to stay under the radar.

Nevertheless, malware with strong evasion techniques does exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilizes strong evasion techniques and can be easily adapted by attackers.

We believe this fact is alarming for the security community since many implants today have very low detection rates, making these threats difficult to detect and respond to.

We have discovered further undetected Linux malware that appears to be enforcing advanced evasion techniques with the use of rootkits to leverage trojan-based implants.

In this blog, we will present a technical analysis of each of the different components that this new malware, HiddenWasp, is composed of. We will also highlight interesting code-reuse connections that we have observed to several open-source malware.

The following images are screenshots from VirusTotal of the newer undetected malware samples discovered:


2. Technical Analysis

When we came across these samples we noticed that the majority of their code was unique:
hidden virus

Similar to the recent Winnti Linux variants reported by Chronicle, the infrastructure of this malware is composed of a user-mode rootkit, a trojan and an initial deployment script. We will cover each of the three components in this post, analyzing them and their interactions with one another.

2.1 Initial Deployment Script:

When we spotted these undetected files in VirusTotal it seemed that among the uploaded artifacts there was a bash script along with a trojan implant binary.

linux hidden

We observed that these files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd.

Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong.


Among the uploaded files, we observed that one of the files was a bash script meant to deploy the malware itself into a given compromised system, although it appears to be for testing purposes:

Thanks to this file we were able to download further artifacts not present in VirusTotal related to this campaign. This script will start by defining a set of variables that would be used throughout the script.

Among these variables we can spot the credentials of a user named ‘sftp’, including its hardcoded password. This user seems to be created as a means to provide initial persistence to the compromised system:

Furthermore, after the system’s user account has been created, the script proceeds to clean the system as a means to update older variants if the system was already compromised:

The script will then proceed to download a tar compressed archive from a download server according to the architecture of the compromised system. This tarball will contain all of the components from the malware, containing the rootkit, the trojan and an initial deployment script:

After malware components have been installed, the script will then proceed to execute the trojan:

We can see that the main trojan binary is executed, the rootkit is added to LD_PRELOAD path and another series of environment variables are set such as the ‘I_AM_HIDDEN’. We will cover throughout this post what the role of this environment variable is. To finalize, the script attempts to install reboot persistence for the trojan binary by adding it to /etc/rc.local.

Within this script we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit and a deployment script for x86 and x86_64 builds accordingly.

The deployment script has interesting insights of further features that the malware implements, such as the introduction of a new environment variable ‘HIDE_THIS_SHELL’:

We found some of the environment variables used in a open-source rootkit known as Azazel.

It seems that this actor changed the default environment variable from Azazel, that one being HIDE_THIS_SHELL for I_AM_HIDDEN. We have based this conclusion on the fact that the environment variable HIDE_THIS_SHELL was not used throughout the rest of the components of the malware and it seems to be residual remains from Azazel original code.

The majority of the code from the rootkit implants involved in this malware infrastructure are noticeably different from the original Azazel project. Winnti Linux variants are also known to have reused code from this open-source project.

Within this function, we can see that eventually, control flow falls into a function in charge to resolve a set of dynamic imports, which are the functions it will later hook, alongside with decoding a series of strings needed for the rootkit operations.

We can see that for each string it allocates a new dynamic buffer, it copies the string to it to then decode it.

It seems that the implementation for dynamic import resolution slightly varies in comparison to the one used in Azazel rootkit.

When we wrote the script to simulate the cipher that implements the string decoding function we observed the following algorithm:

We recognized that a similar algorithm to the one above was used in the past by Mirai, implying that authors behind this rootkit may have ported and modified some code from Mirai.

After the rootkit main object has been loaded into the address space of a given process and has decrypted its strings, it will export the functions that are intended to be hooked. We can see these exports to be the following:

For every given export, the rootkit will hook and implement a specific operation accordingly, although they all have a similar layout. Before the original hooked function is called, it is checked whether the environment variable ‘I_AM_HIDDEN’ is set:

We can see an example of how the rootkit hooks the function fopen in the following screenshot:

We have observed that after checking whether the ‘I_AM_HIDDEN’ environment variable is set, it then runs a function to hide all the rootkits’ and trojans’ artifacts. In addition, specifically to the fopen function it will also check whether the file to open is ‘/proc/net/tcp’ and if it is it will attempt to hide the malware’s connection to the cnc by scanning every entry for the destination or source ports used to communicate with the cnc, in this case 61061. This is also the default port in Azazel rootkit.

The rootkit primarily implements artifact hiding mechanisms as well as tcp connection hiding as previously mentioned. Overall functionality of the rootkit can be illustrated in the following diagram:

2.3 The Trojan:

The trojan comes in the form of a statically linked ELF binary linked with stdlibc++. We noticed that the trojan has code connections with ChinaZ’s Elknot implant in regards to some common MD5 implementation in one of the statically linked libraries it was linked with:

In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from Elknot that could have been shared in Chinese hacking forums:

When we analyze the main we noticed that the first action the trojan takes is to retrieve its configuration:

The malware configuration is appended at the end of the file and has the following structure:

The malware will try to load itself from the disk and parse this blob to then retrieve the static encrypted configuration.

Once encryption configuration has been successfully retrieved the configuration will be decoded and then parsed as json.

The cipher used to encode and decode the configuration is the following:

This cipher seems to be an RC4 alike algorithm with an already computed PRGA generated key-stream. It is important to note that this same cipher is used later on in the network communication protocol between trojan clients and their CNCs.

After the configuration is decoded the following json will be retrieved:

Moreover, if the file is running as root, the malware will attempt to change the default location of the dynamic linker’s LD_PRELOAD path. This location is usually at /etc/, however there is always a possibility to patch the dynamic linker binary to change this path:

The patch_ld function will scan for any existent /lib paths. The scanned paths are the following:

The malware will attempt to find the dynamic linker binary within these paths. The dynamic linker filename is usually prefixed with ld-<version number>.

Once the dynamic linker is located, the malware will find the offset where the /etc/ string is located within the binary and will overwrite it with the path of the new target preload path, that one being /sbin/.ifup-local.

To achieve this patching it will execute the following formatted string by using the xxd hex editor utility by previously having encoded the path of the rootkit in hex:

Once it has changed the default LD_PRELOAD path from the dynamic linker it will deploy a thread to enforce that the rootkit is successfully installed using the new LD_PRELOAD path. In addition, the trojan will communicate with the rootkit via the environment variable ‘I_AM_HIDDEN’ to serialize the trojan’s session for the rootkit to apply evasion mechanisms on any other sessions.

After seeing the rootkit’s functionality, we can understand that the rootkit and trojan work together in order to help each other to remain persistent in the system, having the rootkit attempting to hide the trojan and the trojan enforcing the rootkit to remain operational. The following diagram illustrates this relationship:

Continuing with the execution flow of the trojan, a series of functions are executed to enforce evasion of some artifacts:

These artifacts are the following:

By performing some OSINT regarding these artifact names, we found that they belong to a Chinese open-source rootkit for Linux known as Adore-ng hosted in GitHub:

The fact that these artifacts are being searched for suggests that potentially targeted Linux systems by these implants may have already been compromised with some variant of this open-source rootkit as an additional artifact in this malware’s infrastructure. Although those paths are being searched for in order to hide their presence in the system, it is important to note that none of the analyzed artifacts related to this malware are installed in such paths.

This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign.

With the help of this function we where able to understand the structure of the communication protocol employed. We can illustrate the structure of this communication protocol by looking at a pcap of the initial handshake between the server and client:

We noticed while analyzing this protocol that the Reserved and Method fields are always constant, those being 0 and 1 accordingly. The cipher table offset represents the offset in the hardcoded key-stream that the encrypted payload was encoded with. The following is the fixed keystream this field makes reference to:

After decrypting the traffic and analyzing some of the network related functions of the trojan, we noticed that the communication protocol is also implemented in json format. To show this, the following image is the decrypted handshake packets between the CNC and the trojan:

After the handshake is completed, the trojan will proceed to handle CNC requests:

Depending on the given requests the malware will perform different operations accordingly. An overview of the trojan’s functionalities performed by request handling are shown below:

2.3. Prevention and Response

Prevention: Block Command-and-Control IP addresses detailed in the IOCs section.

Response: We have provided a YARA rule intended to be run against in-memory artifacts in order to be able to detect these implants.

In addition, in order to check if your system is infected, you can search for “” files — if any of the files do not contain the string ‘/etc/’, your system may be compromised. This is because the trojan implant will attempt to patch instances of in order to enforce the LD_PRELOAD mechanism from arbitrary locations.

4. Summary

We analyzed every component of HiddenWasp explaining how the rootkit and trojan implants work in parallel with each other in order to enforce persistence in the system.

We have also covered how the different components of HiddenWasp have adapted pieces of code from various open-source projects. Nevertheless, these implants managed to remain undetected.

Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.

Linux malware will continue to become more complex over time and currently even common threats do not have high detection rates, while more sophisticated threats have even lower visibility.