Researchers have found a new malware targeting Linux systems with a parasitic effect. Identified as “Symbiote,” this new malware infects Linux processes to provide rootkit functionality to the attackers.
About Symbiote Linux Malware
Following a joint analysis of their researchers, the BlackBerry Threat Research & Intelligence team and Intezer have shared insights about the newly discovered Linux malware. The researchers have named this malware “Symbiote” as it exhibits a symbiotic (rather parasitic) behavior on Linux systems.
Briefly, the malware, unlike other malware that aggressively kill system processes, Symbiote loads on all processes as a shared object (SO) library. In this way, it utilizes those processes to inflict damage. Once done, the malware then steals credentials from the system. Also, it gives remote access to the attackers.
Besides, it also exhibits tremendous sneakiness by using Berkeley Packet Filter (BPF) hooking functionality to hide malicious network traffic.
When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.
Moreover, the malware also exploits the LD_PRELOAD directive to load before other shared objects. That’s how the malware hijacks other library imports and evades detection. The following chart illustrates the evasion techniques that Symbiote applies during infections.
While the researchers have recently shared malware details, it isn’t entirely new. Instead, the malware has been active in the wild, with its first samples dating back to November 2021. According to the researchers, the threat actors used this malware to target financial institutions in Latin America.
The researchers found its code does not resemble any known Linux malware types, confirming that it’s entirely new malware. However, it does exhibit slight similarities with the 2014-discovered Ebury malware, which also serves as a backdoor for the attackers and credential harvester.
Let us know your thoughts in the comments.