HiddenWasp
HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1014 | Rootkit |
HiddenWasp uses a rootkit to hook and implement functions on the system.[1] |
|
| Enterprise | T1136 | .001 | 创建账户: Local Account |
HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.[1] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.[1] |
| Enterprise | T1574 | .006 | 劫持执行流: Dynamic Linker Hijacking |
HiddenWasp adds itself as a shared object to the LD_PRELOAD environment variable.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
HiddenWasp uses a cipher to implement a decoding function.[1] |
|
| Enterprise | T1037 | .004 | 启动或登录初始化脚本: RC Scripts |
HiddenWasp installs reboot persistence by adding itself to |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.[1] |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
HiddenWasp encrypts its configuration and payload.[1] |
| Enterprise | T1105 | 输入工具传输 |
HiddenWasp downloads a tar compressed archive from a download server to the system.[1] |
|
| Enterprise | T1095 | 非应用层协议 |
HiddenWasp communicates with a simple network protocol over TCP.[1] |
|