The discovery of Symbiote, an extremely dangerous and almost impossible to detect Linux malware. It has been in existence since at least November 2021 and appears to have been developed to target the financial sector

Fans of Linux-based operating systems often mention greater security to justify their love for their chosen distro.

Whether Linux distros have a better security record than Windows 11 and macOS systems because they are inherently more secure, or because they are just not that much targeted, is up for debate, but Linux is nonetheless less fallible.

The symbiote malware, discovered by security researchers from BlackBerry and Intezer Labs, is proof of this. Symbiote is troubling for a number of reasons, including being described as “almost impossible to detect”. It is also an extremely dangerous malware that “parasitizes” systems, infects all running processes and gives threat actors rootkit functionality, remote access and more.

Symbiote is then called because of the nature of the attacks, and the term “symbiot” is a biological term for an organism that lives in symbiosis with another organism, sometimes in a parasitic way. Security researchers claim that Symbiote has been around since at least November 2021 and appears to have been developed to target the financial sector.

In their report, the researchers describe the malware as follows:

What makes Symbiote different from other Linux malware we usually come across is that it has to infect other running processes in order to inflict damage on infected machines. Instead of being a standalone executable running to infect a machine, it is a Shared Object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006) and which infects the machine on a parasitic manner. Once it infects all running processes, it gives the threat actor rootkit functionality, the ability to harvest credentials, and remote access.

They then explain why the symbiote is so difficult to detect:

Once malware has infected a machine, it hides itself along with any other malware used by the threat actor, making infections very difficult to detect. A live forensic scan of an infected machine may not reveal anything, as all files, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor that allows the threat actor to log in as any user on the machine with a hard-coded password and execute commands with the highest privileges.

Since it is extremely elusive, a Symbiote infection is likely to “fly under the radar”. Through our research, we have not found enough evidence to determine whether Symbiote is used in highly targeted or large-scale attacks.

An interesting technical aspect of Symbiote is its Berkeley Packet Filter (BPF) picking function. Symbiote is not the first Linux malware to use BPF. For example, an advanced backdoor assigned to the Equation Group used BPF for covert communication. However, Symbiote uses BPF to hide malicious network traffic on an infected machine.

When an administrator launches a packet capture tool on the infected machine, the BPF byte code is injected into the kernel, which defines the packets to be captured. In this process, Symbiote first adds its byte code so that it can filter out network traffic that it does not want the packet collection software to see.

Symbiote is also able to hide its networking activity using various techniques. This cover is perfect for allowing malware to harvest credentials and provide remote access to the threat actor.

Sources: Blackberry, Intezer

And you?

What do you think ?

Also see:

The number of malware infections targeting Linux devices increased by 35% in 2021, with XordDoS, Mirai and Mozi being the most prevalent, accounting for 22% of attacks

Security researchers have discovered CronRAT, a new insidious Remote Access Trojan (RAT) designed to attack Linux systems and hide as a planned task

Malware targeting Linux-based operating systems is growing in both volume and complexity amid rapidly changing threat landscape

“Hive” ransomware now encrypts Linux and FreeBSD systems, but this ransomware variant is still buggy and does not always work

Leave a Comment