A team of cybersecurity researchers from BlackBerry and Intezer has shared details of a new, “parasitic in nature” Linux malware that they say would be “nearly impossible to detect.”
Aptly named “Symbiote,” the malware provides its operator with rootkit functionality, the ability to harvest credentials, and remote access capability.
“What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD, and parasitically infects the machine,” the researchers wrote.
First spotted in November 2021, Symbiote appears to have been designed for attacks targeting the financial sector in Latin America, however, the researchers haven’t found enough evidence that the malware was used in highly targeted or widespread attacks.
Symbiote leverages a number of techniques to evade detection, including Berkeley Packet Filter (BPF) hooking functionality to hide malicious traffic on the infected machine. It also utilizes a native Linux feature called LD_PRELOAD to load malicious libraries into all running processes, since this directive allows it to be loaded before any other shared objects.
In addition to hiding its own presence of the infected machine, the Symbiote malware is designed to hide other malicious files that attackers might deploy.
Symbiote is also capable of concealing its network activity. To do this, it uses three different methods that involve hooking fopen and fopen64, hijacking any injected packet filtering bytecode, and hooking libpcap functions.
According to the researchers, the domains used by the malware impersonated some major Brazilian banks, indicating that these financial institutions or their customers could be the potential target.
“Symbiote is a malware that is highly evasive. Its main objective is to capture credentials and to facilitate backdoor access to infected machines. Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus (AVs) and endpoint detection and response (EDRs) should be statically linked to ensure they are not “infected” by userland rootkits,” Intezer concluded