Symbiote, a nearly-impossible-to-detect Linux malware

Pierluigi Paganini June 09, 2022

Researchers uncovered a high stealth Linux malware, dubbed Symbiote, that could be used to backdoor infected systems.

Joint research conducted by security firms Intezer and BlackBerry uncovered a new Linux threat dubbed Symbiote.

The name comes from the concept of symbiote which is an organism that lives in symbiosis with another organism, exactly like this implant does with the infected systems. For this reason, security researchers defined this threat as nearly impossible to detect.

Unlike other Linux threats, Symbiote needs to infect other running processes to inflict damage on the compromised machines. It is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and like a parasite infects the machine. Once the malware has infected all the running processes, it provides the threat actor with rootkit capability and supports data-stealing capabilities.

The malware was first spotted in November 2021, experts believe it was designed to target the financial sector in Latin America, such as Banco do Brasil and Caixa.

“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.” reads the report published by Blackberry. “Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.”

Experts reported that one interesting technical features implemented by Symbiote is the Berkeley Packet Filter (BPF) hooking functionality, it is the first Linux malware to use this feature to hide malicious network traffic.

“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.” continues the report.

Symbiote can be loaded by the linker via the LD_PRELOAD directive before any other shared objects allowing to “hijack the imports” from the other library files loaded for the application.

Symbiote hides its presence by hooking libc and libpcap functions.

Symbiote

“Symbiote is a malware that is highly evasive. Its main objective is to capture credentials and to facilitate backdoor access to infected machines. Since the malware operates as a userland level rootkit, detecting an infection may be difficult.” concludes the report. “Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus and endpoint detection and response (EDR) should be statically linked to ensure they are not “infected” by userland rootkits.”

Experts also shared indicators of compromise (IoCs) for this threat.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Symbiote backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment