A joint research effort has led to the discovery of Symbiote, a new form of Linux malware that is “almost impossible” to detect.
On Thursday, researchers from BlackBerry Threat Research & Intelligence team, together with Intezer security researcher Joakim Kennedy, published a blog post on the malware – dubbed Symbiote because of its “parasitic nature.”
The team discovered Symbiote several months ago. Symbiote differs from today’s typical Linux malware, which normally will attempt to compromise running processes, and instead acts as a shared object (SO) library that is loaded on all running processes via LD_PRELOAD.
The shared object library “parasitically” compromises a target machine, the researchers say, and once its claws are deeply embedded in the system, the malware provides attackers with rootkit functionality.
The first sample dates from November 2021 and appears to have been developed to target financial institutions in Latin America. However, as the malware is new and very evasive, the researchers aren’t sure if Symbiote is being used in targeted or broad attacks, if at all.
Symbiote has several interesting features. For example, the malware uses Berkeley Packet Filter (BPF) hooking, a function designed to hide malicious traffic on an infected machine. BPF is also used by malware developed by the Equation Group.
“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured,” BlackBerry explained. “In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.”
One of the most impressive elements of the Linux malware is stealth. The malware is pre-loaded before other shared objects, allowing it to hook specific functions – including libc and libpcap – to hide its presence. Other files associated with Symbiote are also concealed and its network entries are continually scrubbed.
Furthermore, Symbiote is able to harvest credentials by hooking the libc read function and facilitates remote access by hooking Linux Pluggable Authentication Module (PAM) functions.
Domain names associated with Symbiote impersonate major Brazilian banks, and another linked server masqueraded as the Federal Police of Brazil.
A sample of the malware was uploaded to VirusTotal under the name certbotx64. The team suspects that as submissions were made prior to the malware’s main infrastructure going online, the uploads might have been for antivirus and detection-testing purposes.
“When we first analyzed the samples with Intezer Analyze, only unique code was detected,” the researchers say. “As no code is shared between Symbiote and Ebury/Windigo or any other known [Linux] malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0