Symbiote, a recently found Linux malware, infects all active processes on infected computers, harvests account credentials, and provides backdoor access to its controllers. The malware functions as a system-wide parasite after injecting itself into all operating processes, leaving no visible evidence of infection even during painstaking in-depth examinations.
Symbiote leverages the BPF (Berkeley Packet Filter) hooking capabilities to steal network data packets and mask its communication channels from security measures. BlackBerry and Intezer Labs experts found and evaluated this novel threat, collaborating to expose all features of the new malware in a full technical study. Symbiote, they claim, has been under active development since last year.
Instead of being an executable, Symbiote is a shared object (SO) library loaded into running processes using the LD_PRELOAD command to take precedence over other SOs. Symbiote may hook the “libc” and “libpcap” functions and conduct different activities to hide its presence, such as concealing parasitic processes, hiding malware files, and so on, because it is the first to load.
“When it injects itself into processes, the malware can choose which results it displays,” the security researchers revealed in a recently published report. “If an administrator starts a packet capture on the infected machine to investigate some suspicious network traffic, Symbiote will inject itself into the inspection software’s process and use BPF hooking to filter out results that would reveal its activity.”
Symbiote scrapes connection entries it wishes to hide, conducts packet filtering using BPF, and eliminates UDP traffic to domain names in its list to disguise its malicious network activities on the infected system.
By hooking the “libc read” function, this stealthy new malware is mainly used for automatic credential harvesting from infected Linux devices. This is a critical task when targeting Linux servers in high-value networks because acquiring admin account credentials allows unrestricted lateral movement and full access to the whole system.
Symbiote also offers its operators remote SHH access to the system via the PAM service and a mechanism for the threat actor to get root rights. The malware’s primary targets are Latin American financial institutions, including Brazilian banks and the country’s Federal Police, among others.
The researchers found that identifying an infection may be challenging since the malware works as a user-land level rootkit. “Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not ‘infected’ by userland rootkits.”
As big and valuable corporate networks employ this architecture widely, such complex and extremely evasive threats used in cyberattacks against Linux systems are projected to expand dramatically next time. Last month, BPFDoor, a similar backdoor that uses BPF (Berkeley Packet Filter) to passively listen to incoming and outgoing network traffic on affected machines, was discovered.