Skip to content

S0394 HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.1

Item Value
ID S0394
Associated Names
Version 1.2
Created 24 June 2019
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.004 RC Scripts HiddenWasp installs reboot persistence by adding itself to /etc/rc.local.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell HiddenWasp uses a script to automate tasks on the victim’s machine and to assist in execution.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.1
enterprise T1140 Deobfuscate/Decode Files or Information HiddenWasp uses a cipher to implement a decoding function.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.006 Dynamic Linker Hijacking HiddenWasp adds itself as a shared object to the LD_PRELOAD environment variable.1
enterprise T1105 Ingress Tool Transfer HiddenWasp downloads a tar compressed archive from a download server to the system.1
enterprise T1095 Non-Application Layer Protocol HiddenWasp communicates with a simple network protocol over TCP.1
enterprise T1027 Obfuscated Files or Information HiddenWasp encrypts its configuration and payload.1
enterprise T1014 Rootkit HiddenWasp uses a rootkit to hook and implement functions on the system.1