June 14, 2022 at
The newly discovered Linux malware called Symbiote has been seen infecting all running processes on compromised systems. The malware steals accounts and provides backdoor access to its operators.
Once the malware gets itself into the running processes of the targeted system, it acts as a system-wide parasite. This leaves no exclusive sign of infecting even the scrupulous in-depth inspectors. The malware uses Berkeley Packet Filter (BPF) hooking functionality to pull out network data packets before hiding its channels of communication from the security tools.
The Malware Is Almost Impossible To Detect
Blackberry and Intezer Labs researchers discovered and analyzed the new threat. Both of the firms worked as a team to find out some details of the new malware before providing a comprehensive report about their findings. According to the researchers, the operators of Symbiote started developing the malware last year.
The researchers stated that the Symbiote infects targets differently. Instead of following the normal method of an executable, the malware uses a shared object (SO) library that is loaded into the running process via the L-PRELOAD directive. This enables it to gain more momentum and priority against other SOs.the researchers say the malware is almost impossible to detect.
Since it is the first to load, Symbiote is capable of hooking the “lipcap” and “libc” functions and carrying out various actions to protect itself and stay hidden for a long time. It can also hide files and hide parasite processes while gathering more information from the infected device.
A report about the activities of the malware noted that the malware can select the results it displays after injecting itself into the processes.
Once the administrator begins a package capture the suspicious network traffic on an infected machine, the malware can inject itself into the processes of the inspection software. Symbiotic can utilize BPF hooking to filter out the results that could have exposed its identity. The malware, according to the researchers is designed to make itself too hard to find by security software. This allows it to stay inside the system for a very long time without getting discovered while carrying out its massive invasive activities.
Hackers Use Symbiote for Automated Credential Harvesting
The researchers also noted that Symbiote hides its malicious network activity on the affected device vy scrubbing connection entries it wants to hide before performing packet filtering through BPF. Thereafter, it takes down the UDP traffic to domain names in its list.
The new malware is mainly utilized for automated credential harvesting from compromised Linux devices via hooking of the “libc read function.
It’s an important mission to target Linux servers, especially those in high-value networks. This is because when the malware steals account credentials, it opens the way to unlimited access to the entire system as well as an unobstructed lateral movement.
The symbiote is also very effective at offering machine SHH access to the remote operators through the PAM service. IT also offers a way for hackers to gain root privileges on the device.
The Malware Targets Entities In The Financial Sector
The researchers also stated that the malware targets companies within the financial sector, especially in Latin America. The hackers have used the malware to impersonate Brazil’s federal police and the country’s banks.
Additionally, detecting infection by this malware is usually very difficult since it operates as a user-land level rootkit, the researchers added.
This makes it a very potent and dangerous malware. Also, Symbiote was newly crafted. This means that no exhaustive research has been carried out on the malware yet. As a result, it could have other features that have not been discovered yet or the operators could update it to have more attacking capabilities in the feature.
The researchers have recommended some security measures that can enable companies to avoid exposing their devices to malware. Network telemetry can be used to detect security tools or anomalous DNS requests such as EDRs and AVs. They should be statically connected to make sure they are not infected by userland rootkits.
As more corporate networks use the Linux system continuously, such highly-evasive and advanced threats are likely to increase significantly against these organizations. A similar backdoor known as BPFDoor was discovered using BPF to list network traffic on compromised systems. The researchers have stated that more of these attacks could come and entities should devise more effective means of protecting their systems.