Cybersecurity researchers have taken the wraps off what they name a “nearly-impossible-to-detect” Linux malware that could possibly be weaponized to backdoor contaminated methods.
Dubbed Symbiote by risk intelligence companies BlackBerry and Intezer, the stealthy malware is so named for its capability to hide itself inside operating processes and community visitors and drain a sufferer’s sources like a parasite.
The operators behind Symbiote are believed to have commenced growth on the malware in November 2021, with the risk actor predominantly utilizing it to focus on the monetary sector in Latin America, together with banks like Banco do Brasil and Caixa.
“Symbiote’s most important goal is to seize credentials and to facilitate backdoor entry to a sufferer’s machine,” researchers Joakim Kennedy and Ismael Valenzuela mentioned in a report shared with The Hacker Information. “What makes Symbiote totally different from different Linux malware is that it infects operating processes moderately than utilizing a standalone executable file to inflict injury.”
It achieves this by leveraging a local Linux function known as LD_PRELOAD — a technique beforehand employed by malware comparable to Professional-Ocean and Facefish — in order to be loaded by the dynamic linker into all operating processes and infect the host.
In addition to hiding its presence on the file system, Symbiote can be able to cloaking its community visitors by making use of the prolonged Berkeley Packet Filter (eBPF) function. That is carried out by injecting itself into an inspection software program’s course of and utilizing BPF to filter out outcomes that might uncover its exercise.
Upon hijacking all operating processes, Symbiote permits rootkit performance to additional disguise proof of its presence and supplies a backdoor for the risk actor to log in to the machine and execute privileged instructions. It has additionally been noticed storing captured credentials encrypted in information masquerading as C header information.
This isn’t the primary time a malware with related capabilities has been noticed within the wild. In February 2014, ESET revealed a Linux backdoor known as Ebury that is constructed to steal OpenSSH credentials and keep entry to a compromised server.
“Because the malware operates as a user-land stage rootkit, detecting an an infection could also be tough,” the researchers concluded. “Community telemetry can be utilized to detect anomalous DNS requests and safety instruments comparable to AVs and EDRs ought to be statically linked to make sure they don’t seem to be ‘contaminated’ by userland rootkits.”
