WaterDrop Malware

The WaterDrop malware is part of several recently discovered corrupted binaries used in attacks infecting Linux installations. The malware family was first uncovered by the infosec researchers at AT&T's Alien Labs. Their analysis revealed that all of the threats used an open-source backdoor named Prism as a basis upon which modifications were slowly introduced by the attackers.

The threatening capabilities of WaterDrop are surprisingly basic. At the same time, it lacks any sophisticated anti-detection or obfuscation techniques. Indeed, the researchers state that WaterDrop contains several easily identifiable characteristics. Not to mention that it communicates with the Command-and-Control (C2, C&C) infrastructure via plain-text HTTP. However, judging by the effectiveness of the attack campaign, few people would have guessed that this is the case.

The domain related to the WaterDrop campaign was registered on August 18, 2017, and nearly 4 years later it is still online and operational. Despite the prolonged usage, WaterDrop has managed to achieve and maintain a near-zero detection score, meaning that it has been able to fly under the radar for years without being noticed. So far, the most plausible explanation is that the high success rate was reached by keeping the attack campaign at an extremely small scale. 

The cybercriminals behind WaterDrop and its associated malware family have been updating their threatening toolkit slowly and are expected to continue their activities.