HiddenWasp emerges from under the Winnti Umbrella (probably).
Intezer described Wednesday the operations of "HiddenWasp," a campaign that installs a backdoor into Linux systems. Most Linux-focused malware has tended to concentrate on coinmining or distributed denial-of-service, and it's also tended to be relatively speaking, observers say, heavy-footed and noisy. HiddenWasp is not only relatively stealthy, but also aims at control of infected devices. Observers find these new developments disturbing.
HiddenWasp borrows freely: components of Mirai, the ChinZ Elkinot implant, the Azazel rootkit, and the Linux version of Winnti have all been seen in its code. Attribution remains unclear, but some think it looks like an operation with Chinese origins, either with criminal organizations or intelligence services. AT&T Cybersecurity’s Alien Labs tells SC Magazine they’ve concluded, “with high confidence,” that HiddenWasp falls under the Winnti Umbrella, a set of groups associated with China.
It’s worth noting that HiddenWasp seems to have escaped detection by most anti-virus software. Defenders will adapt.