Register to stream ATT&CKcon 2.0 October 29-30


HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.[1]

ID: S0394
Platforms: Linux
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1156 .bash_profile and .bashrc HiddenWasp installs reboot persistence by adding itself to /etc/rc.local. [1]
Enterprise T1136 Create Account HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine. [1]
Enterprise T1024 Custom Cryptographic Protocol HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information HiddenWasp uses a cipher to implement a decoding function. [1]
Enterprise T1027 Obfuscated Files or Information HiddenWasp encrypts its configuration and payload. [1]
Enterprise T1055 Process Injection HiddenWasp adds itself to the LD_PRELOAD path and sets a series of environment variables. [1]
Enterprise T1105 Remote File Copy HiddenWasp downloads a tar compressed archive from a download server to the system. [1]
Enterprise T1014 Rootkit HiddenWasp uses a rootkit to hook and implement functions on the system. [1]
Enterprise T1064 Scripting HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution. [1]
Enterprise T1095 Standard Non-Application Layer Protocol HiddenWasp communicates with a simple network protocol over TCP. [1]
Enterprise T1065 Uncommonly Used Port HiddenWasp uses port 61061 to communicate with the C2 server. [1]