HiddenWasp
HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1037 | .004 | Boot or Logon Initialization Scripts: RC Scripts |
HiddenWasp installs reboot persistence by adding itself to |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.[1] |
| Enterprise | T1136 | .001 | Create Account: Local Account |
HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
HiddenWasp uses a cipher to implement a decoding function.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.[1] |
| Enterprise | T1574 | .006 | Hijack Execution Flow: Dynamic Linker Hijacking |
HiddenWasp adds itself as a shared object to the LD_PRELOAD environment variable.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
HiddenWasp downloads a tar compressed archive from a download server to the system.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
HiddenWasp communicates with a simple network protocol over TCP.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
HiddenWasp encrypts its configuration and payload.[1] |
|
| Enterprise | T1014 | Rootkit |
HiddenWasp uses a rootkit to hook and implement functions on the system.[1] |
|