S0394 HiddenWasp
HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.1
| Item | Value |
|---|---|
| ID | S0394 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 24 June 2019 |
| Last Modified | 23 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1037 | Boot or Logon Initialization Scripts | - |
| enterprise | T1037.004 | RC Scripts | HiddenWasp installs reboot persistence by adding itself to /etc/rc.local.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | HiddenWasp uses a script to automate tasks on the victim’s machine and to assist in execution.1 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | HiddenWasp uses a cipher to implement a decoding function.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.006 | Dynamic Linker Hijacking | HiddenWasp adds itself as a shared object to the LD_PRELOAD environment variable.1 |
| enterprise | T1105 | Ingress Tool Transfer | HiddenWasp downloads a tar compressed archive from a download server to the system.1 |
| enterprise | T1095 | Non-Application Layer Protocol | HiddenWasp communicates with a simple network protocol over TCP.1 |
| enterprise | T1027 | Obfuscated Files or Information | HiddenWasp encrypts its configuration and payload.1 |
| enterprise | T1014 | Rootkit | HiddenWasp uses a rootkit to hook and implement functions on the system.1 |