Detecting and De-Cloaking HiddenWasp Linux Stealth Malware
A new Linux stealth malware was discovered by researchers last week. The malware, named HiddenWasp, is a remote access tool that has two modes of infection depending on whether it has root level or user privileges on the target host. The paper above goes into the technical details and we recommend you read it as it is well-written and researched. This post will detail how to de-cloak this type of stealth rootkit on Linux.
What is a LD_PRELOAD Linux Stealth Rootkit?
HiddenWasp uses its own LD_PRELOAD library to hide activity from users. A library put into the LD_PRELOAD path (or /etc/ld.so.preload file) will be able to intercept system calls that are part of the standard Linux libc library. An attacker can hook calls that list directories, network ports or processes and prevent them from showing you malicious activity that is on the host if this kind of stealth rootkit is active.
What HiddenWasp Tries To Do
When activated, HiddenWasp will see if it is root or not. If it is root, it will add a LD_PRELOAD variable to the system /etc/profile directory which will make every user that logs in use the malicious library. The library and support binaries are loaded under /lib and named as /lib/libse1inux.* (Note: linux is spelled with a “1” instead of “l”). It also adds a UID 0 user called sftp to the system for remote login.
If not root, HiddenWasp will rename the main remote access binary as simply .bash and run it out of /tmp.
In both cases, the malware will attempt to communicate back to the command and control server. When run as root, HiddenWasp is able to hide both the process and network port it is using to communicate as shown below:
Detecting HiddenWasp and Other LD_PRELOAD Rootkits
It is very unusual for a Linux system to have LD_PRELOAD or even the /etc/ld.so.preload file used. There are some legitimate reasons for intercepting library calls at this level, but it’s mostly for debuggers and other development tools. It would be rare to have it done on a production system and extremely suspicious if you saw it on a system you controlled if you didn’t do it yourself. Other areas of interest are LD_LIBRARY_PATH and the file /etc/ld.so.cache (which you can view by running ldconfig -p to see if any odd entries appear in the listing). There are also the /etc/ld.so.conf file and /etc/ld.so.conf.d directory you can investigate as well.
To check if LD_PRELOAD is set you can do the following at the command line:
When you look at your environment variables, you should not see LD_PRELOAD set. Likewise you can do the following to investigate the system /etc/ld.so.preload file:
That file should either not exist, or be empty. If it has something in it, you should investigate the file path and make sure you know what the library is and why it was put there.
Here is what the LD_PRELOAD looks like with HiddenWasp active. You can see the path to /lib/libse1inux.so (again linux is spelled with a “1” and not “l”). Any kind of entry into LD_PRELOAD should be immediately investigated as suspect.
De-cloaking a rootkit using the LD_PRELOAD environment is done with this command after logging in:
The above empties the LD_PRELOAD variable so the malicious library is no longer called. Once this is done you can run your normal ps and netstat commands and HiddenWasp is easy to spot:
Because this binary is able to communicate to a remote server, there is no good way to clean up this malware and know you removed everything. It is possible the remote attacker did new things to the system outside of what the initial compromise did. You should do a root cause analysis of how they got onto the system, and then rebuild the system from scratch ensuring it is patched and closely monitored going forward.
Being that we offer an agentless intrusion and compromise detection system for Linux, we ran Sandfly against a system running this malware and we immediately spotted both the root stealth version and non-stealth user versions. Sandfly is not vulnerable to LD_PRELOAD attacks so it is able to de-cloak this activity immediately.
Some partial results of what was found are below to demonstrate how you would have received a warning about something very suspicious going on. Sandfly automatically and constantly patrols for this and many other Linux threats 24 hours a day. You can use Sandfly for free.