New Symbiote malware infects all operating processes on Linux programs


A newly found Linux malware often called Symbiote infects all operating processes on compromised programs, steals account credentials, and offers its operators backdoor entry.

After injecting itself into all operating processes, the malware acts as a system-wide parasite, leaving no identifiable indicators of an infection even throughout meticulous in-depth inspections.

Symbiote makes use of the BPF (Berkeley Packet Filter) hooking performance to smell community knowledge packets and to cover its personal communication channels from safety instruments.

This novel menace was found and analyzed by BlackBerry and Intezer Labs researchers, who labored collectively to uncover all features of the brand new malware in an in depth technical report. In line with them, Symbiote has been underneath lively growth since final 12 months.

System-wide an infection through shared objects

As an alternative of getting the standard type of an executable, Symbiote is a shared object (SO) library that will get loaded into operating processes utilizing the LD_PRELOAD directive to achieve precedence towards different SOs.

By being the primary to load, Symbiote can hook the “libc” and “libpcap” features and carry out varied actions to hide its presence, like hiding parasitic processes, hiding information deployed with the malware, and extra.

All hiding tricks used by Symbiote
All hiding tips utilized by Symbiote (BlackBerry)

“When it injects itself into processes, the malware can select which ends it shows,” the safety researchers revealed in a report printed right this moment.

“If an administrator begins a packet seize on the contaminated machine to analyze some suspicious community site visitors, Symbiote will inject itself into the inspection software program’s course of and use BPF hooking to filter out outcomes that may reveal its exercise.”

To cover its malicious community exercise on the compromised machine, Symbiote scrubs connection entries it desires to cover, performs packet filtering through BPF, and removes UDP site visitors to domains in its checklist.

Backdoors and knowledge theft

This stealthy new malware is primarily used for automated credential harvesting from hacked Linux gadgets by hooking the “libc learn” perform.

This can be a essential mission when focusing on Linux servers in high-value networks, as stealing admin account credentials opens the best way to unobstructed lateral motion and limitless entry to the whole system.

Symbiote additionally provides its operators distant SHH entry to the machine through the PAM service, whereas it additionally offers a method for the menace actor to achieve root privileges on the system.

Spawning a root shell on the host
Spawning a root shell on the host (BlackBerry)

The malware’s targets are largely entities partaking within the monetary sector in Latin America, impersonating Brazilian banks, the nation’s Federal police, and many others.

“For the reason that malware operates as a user-land stage rootkit, detecting an an infection could also be tough,” the researchers concluded.

“Community telemetry can be utilized to detect anomalous DNS requests and safety instruments corresponding to AVs and EDRs ought to be statically linked to make sure they don’t seem to be ‘contaminated’ by userland rootkits.”

Such superior and highly-evasive threats utilized in assaults towards Linux programs are anticipated to extend considerably within the upcoming interval, as massive and useful company networks use this structure extensively.

Solely final month, one other related backdoor referred to as BPFDoor was noticed utilizing BPF (Berkeley Packet Filter) to passively hearken to incoming and outgoing community site visitors on contaminated hosts.

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox