A recemtly discovered form of malware that infects Linux systems uses sophisticated techniques to hide and steal credentials.
As detailed today by researchers at BlackBerry Ltd., the previously undetectable “Symbiote” malware acts in a parasitic nature in that it needs to infect other running processes to inflict damage on infected machines. Symbiote is not a standalone executable file that is run to infect a machine but a shared object library that is loaded into all running processes to infect the machine.
Once Symbiote has infected all running processes, it delivers the attacker rootkit function with the ability to harvest credentials and remote access capability.
Symbiote, first detected in November 2021, was initially written to target the financial sector in Latin America. Upon successful infection, Symbiote hides itself and any other malware deployed, making infections hard to detect. Hard might be an understatement: According to the researchers, performing live forensics on an infected may not turn up anything since all the files, processes and network artifacts are hidden by the malware.
Malware targeting Linux systems is not new, but the stealth techniques used by Symbiote make it stand out. The malware is loaded by the linker via the LD_PRELOAD directive, allowing it to be loaded before any other shared objects. Since it’s loaded first, it can “hijack the imports” from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine.
“Since the malware operates as a userland level rootkit, detecting an infection may be difficult,” researchers conclude. “Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus and endpoint detection and response should be statically linked to ensure they are not ‘infected’ by userland rootkits.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.