New Symbiote Malware for Linux: Nearly Impossible to Detect
New Symbiote Malware for Linux: Nearly Impossible to Detect.
Intezer and BlackBerry research teams recently discovered a new Linux malware that affects the Linux operating system with a parasitic nature; it infects all running processes on an infected system, providing threat actors with rootkit capabilities, The ability to obtain credentials and remote access.
They named the malware Symbiote and described it as “a new, almost impossible-to-detect Linux threat.” Symbiote was first detected in November 2021, and research found it appeared to be written against the financial sector in Latin America.
According to the introduction, Symbiote is not in the form of a typical executable file, but a shared object (SO) library that is loaded into a running process using the LD_PRELOAD instruction and parasitic infects the machine.
It utilizes Berkeley Packet Filter (BPF) hooking feature to hide malicious network traffic on infected machines.
Security researchers point out that when it injects itself into a process, the malware can choose which results it wants to display.
“If an administrator starts a packet capture on an infected machine to investigate some suspicious network traffic, Symbiote injects itself into the process of inspecting the software and uses BPF hooking to filter out results that might reveal its activity.”
Symbiote can hook “libc” and “libpcap” functions and perform various actions to hide their existence, such as hiding parasitic processes, hiding files deployed with malware, and more.
To hide malicious network activity on infected machines, Symbiote sanitizes connection entries it wants to hide, performs packet filtering via BPF, and removes UDP traffic to domains on its list.
In addition to hiding its presence on the machine, the Symbiote malware also hides other files related to malware that might be deployed with it.
The researchers concluded that Symbiote is a highly evasive malware. Its main goal is to capture credentials and facilitate backdoor access to infected machines. Because malware runs as a user-level rootkit, detecting infections can be difficult. Network telemetry can be used to detect abnormal DNS requests, and security tools such as AV and EDR should be statically linked to ensure they are not “infected” by user-level rootkits.
Details can be found in the official announcement .