Information Security Experts Told About The Linux Malware Symbiote That Is Almost Undetectable

BlackBerry and Intezer specialists spoke about the new Symbiote Linux malware that infects all running processes on compromised systems, steals credentials and provides backdoor access to its operators.

Let me remind you that we also said that Google Offers up to $91,000 for Linux Kernel Vulnerabilities, and also that Experts list 15 most attacked Linux vulnerabilities.

Infiltrating all running processes, the malware acts as a system-wide parasite, leaving no noticeable signs of infection, so it is difficult to detect Symbiote even with careful and in-depth study.

Linux malware Symbiote

The development of Symbiote is believed to have started in November 2021, after which the attackers mainly used the malware to attack the financial sector in Latin America, including banks such as Banco do Brasil and Caixa.

The main goal of Symbiote is to obtain credentials and facilitate backdoor access to the victim’s machine. What makes Symbiote different from other Linux malware is that it infects running processes rather than using a single executable to do damage.experts write.

Instead of a regular executable file, Symbiote is a shared object (SO) library that is loaded into running processes using the LD_PRELOAD function so that the dynamic linker will load malware into all running processes and infect the host. This approach was previously used by other malware, including Pro-Ocean and Facefish. Also, these actions help the malware get priority over other SOs.

Thus, with the help of the libc and libpcap functions, Symbiote can perform various actions to hide its presence in the system. For example, hide parasitic processes, hide files deployed with malware, and so on.

In addition to hiding its presence in the file system, Symbiote is also able to hide its network traffic using the Berkeley Packet Filter (BPF). This is done by injecting malware into the process and using BPF to filter the results that reveal its activity.

If an administrator runs a packet capture on an infected machine to examine suspicious network traffic, Symbiote will inject itself into the analytics software process and use BPF to filter the results that could help identify its activity.experts say.

According to the researchers, Symbiote is now mainly used to automatically collect credentials from hacked devices (via libc read). The fact is that the theft of administrator credentials opens the way for attackers to unhindered lateral movement and gives unrestricted access to the entire system.

In addition, Symbiote provides its operators with remote SHH access to the infected machine via PAM, which allows attackers to gain root privileges.

Linux malware Symbiote

Because the malware works like a rootkit at the user-land level, it can be difficult to detect an infection. Network telemetry can be used to detect anomalous DNS queries, and security tools such as AV and EDR must be statically linked to ensure they are not “infected” with a rootkit.the researchers conclude.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *