Symbiote: Linux malware ‘nearly impossible to detect’ threat

Researchers have discovered a new Linux malware, a ‘nearly impossible to detect’ threat.

The malware is dubbed Symbiote, derived from the biology term of an organism living in symbiosis with another, but can also be parasitic if harmed.

A joint effort between the BlackBerry Research & Intelligence Team and security researcher Joakim Kennedy, at Intezer, discovered this new, undetected malware that acts in a parasitic nature to infect Linux-based systems.

“What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine,” Dr. Joakim Kennedy of Blackberry wrote in a blog post.

Moreover, Kennedy noted threat actors can then leverage the malware with rootkit functionality to “harvest credentials, and remote access capability.”

The researchers first detected Symbiote in November 2021 as it targeted entities in the Latin American financial sector. After infecting Linux systems, the malware then hides related files, processes and network artifacts, from detection.

The researchers also noted the malware also “provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges.”

Symbiote also uses Berkeley Packet Filter (BPF) hooking functionality to hide malicious network traffic on an infected system. BPF is a technology used for network traffic and intrusion detection analysis.

Readers can check out the post for more details on the Symbiote threat, to include evasion techniques, host activities, network activities, and network infrastructure, and Indicators of Compromise (IoCs).

Related Articles