Home » Nearly-Impossible-to-Detect Linux Malware Target Financial Sectors | #linux | #linuxsecurity

Nearly-Impossible-to-Detect Linux Malware Target Financial Sectors | #linux | #linuxsecurity

0 comment

As a result of a collaborative effort between BlackBerry Research & Intelligence Team and Intezer Security Researcher, Symbiote was discovered. Unlike most types of Linux malware, Symbiote is a brand new and hard-to-detect form of Linux malware.

Several months ago, Symbiote was discovered by the security team. Malware in general compromises Linux processes and acts as a shared object loader, which enables them to be loaded via LD_PRELOAD by all running processes.

Shared object libraries cause a machine to be compromised in a parasitic manner. After a malware program is profoundly implanted in a system, it allows attackers to install a rootkit function to further enhance their attack capabilities.

Symbiote

There have been several reports of the malware since November 2021, when it was first spotted. The security analysts acknowledge that the malware was designed with the intention of targeting the financial sector in Latin America and specifically targeting –

Here’s what the Blackberry report states:-

“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the files, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.”

“Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.”

LD_PRELOAD directive can be used to load Symbiote ahead of any other shared objects, so that “hijacked imports” from those other library files can be used in Symbiote.

Files used

Here below we have mentioned all the files used:-

apache2start
apache2stop
profiles.php
404erro.php
javaserverx64
javaclientex64
javanodex86
liblinux.so
java.h
open.h
mpt86.h
sqlsearch.php
indexq.php
mt64.so
certbot.h
cert.h
certbotx64
certbotx86
javautils
search.so

Among the interesting features of Linux malware is the fact that it is stealthy. Pre-loading the malware will enable it to hook specific functions that allow it to hide the fact that it is actually present.

In addition to these files, Symbiote’s network entries are continually scrubbed, and its configuration files are also hidden.

A hook on libc’s read function allows Symbiote to harvest credentials, and a hook on Linux PAM functions allows Symbiote to facilitate remote access.

Other linked servers pose as the Federal Police of Brazil, and Symbiote domain names impersonate major Brazilian banks.

VirusTotal scanned a sample of the malware under the name certbotx64 and uploaded it to their database. As the data submission occurred before the malware’s main infrastructure went live, team members believe this to be the case.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Original Source link

Source: Read More

You may also like

Leave a Comment

CyberNonStop

Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign