A joint research effort by different cybersecurity researchers recently led to the discovery of Symbiote, a new form of Linux malware that is “almost impossible” to detect. Late last week, researchers from the BlackBerry Threat Research & Intelligence team, along with Intezer security researcher Joakim Kennedy, published a blog post about the malware – dubbed Symbiote because of its “parasitic nature”.
This team of researchers discovered Symbiote several months ago. It differs from typical Linux malware today, which normally attempts to compromise running processes. Rather, it itself acts more like a Shared Object (SO) library loaded onto all running processes via LD_PRELOAD.
The shared object library “parasitically” compromises a target machine, say the researchers. Once its claws are deep in the system, the malware provides attackers with rootkit functionality. The first observed sample of this malware dates from November 2021 and appears to have been developed to target financial institutions in Latin America. However, the novel nature of the malware prevents researchers from knowing whether it was used in targeted or general attacks, if at all.
An aggressive and… stealthy malware
Symbiote has several interesting characteristics. For example, the malware uses the Berkeley Packet Filter (BPF) hook, a feature designed to hide malicious traffic on an infected machine. BPF is also used by malware developed by the Equation group. “When an administrator launches a packet capture tool on the infected machine, BPF bytecode is injected into the kernel which defines the packets to be captured,” BlackBerry explains. “In this process, Symbiote adds its bytecode first so it can filter network traffic that it doesn’t want the packet capture software to see. »
One of the most impressive elements of this Linux malware is its stealthiness. Preloaded before other shared objects, it can hook specific functions – notably libc and libpcap – to hide its presence.
Other files associated with Symbiote are also concealed and its network entries are continuously cleaned.
A new malware
Symbiote is further able to harvest credentials by hooking into the libc read function and facilitates remote access by hooking into Linux Pluggable Authentication Module (PAM) functions.
A sample of the malware was uploaded to Google’s VirusTotal platform, well known to cybersecurity experts, as certbotx64. The research team behind its discovery suspects that since the submissions were made before the main malware infrastructure went live, the uploads may have been made for antivirus testing purposes. and detection.
“When we first analyzed the samples with Intezer Analyze, only a unique code was detected,” they explain. “As no code is shared between Symbiote and Ebury/Windigo or any other malware [Linux] known, we can confidently conclude that Symbiote is a new, undiscovered Linux malware. »
Source: ZDNet.com