A newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.
The malware injects itself into all running processes and acts as a system-wide parasite, leaving no identifiable signs of infection even during meticulous in-depth inspections.
Symbiote uses the BPF (Berkeley Packet Filter) hooking functionality to sniff network data packets and to hide its own communication channels from security tools.
The researchers at BlackBerry and Intezer Labs discovered this threat and according to them, Symbiote has been under active development since last year.
Symbiote is a shared object (SO) library that gets loaded into running processes using the LD_PRELOAD directive to gain priority against other SOs.
By being the first to load, Symbiote can hook the “libc” and “libpcap” functions and perform various actions to conceal its presence, like hiding parasitic processes, hiding files deployed with the malware, and more.
When it injects itself into processes, the malware can choose which results it displays. If an administrator starts a packet capture on the infected machine to investigate some suspicious network traffic, Symbiote will inject itself into the inspection software’s process and use BPF hooking to filter out results that would reveal its activity.
In order to avoid being detected, Symbiote scrubs connection entries it wants to hide, performs packet filtering via BPF, and removes UDP traffic to domain names in its list.
This new malware is primarily used for automated credential harvesting from hacked Linux devices by hooking the “libc read” function.
Symbiote also gives its operators remote SHH access to the machine via the PAM service, and it also provides a way for the threat actor to gain root privileges on the system.
The malware’s targets mainly entities involved in the financial sector in Latin America, impersonating Brazilian banks, the country’s Federal police, etc.
It is difficult to detect an infection as the malware operates as a user-land level rootkit. Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not ‘infected’ by userland rootkits.