A collaborative effort by various cybersecurity researchers recently led to the discovery of Symbiote, a new form of malware for Linux that is “almost impossible” to detect. Late last week, researchers from the BlackBerry Threat Research & Intelligence team, along with Intezer security researcher Joachim Kennedy, published a blog post about a malware dubbed Symbiote due to its “parasitic nature.”
This group of researchers discovered the Symbiote a few months ago. It is different from typical Linux malware today, which usually tries to compromise running processes. Rather, it itself acts as a shared object (SO) library loaded into all running processes via LD_PRELOAD.
According to the researchers, the shared object library “parasitely” compromises the target machine. Once its claws reach deep into the system, the malware provides the attackers with the functionality of a rootkit. The first detected sample of this malware dates back to November 2021 and appears to have been designed to attack financial institutions in Latin America. However, the new nature of the malware makes it impossible for researchers to know if it was used in targeted or general attacks, if at all.
Aggressive and… stealthy malware
The symbiote has several interesting characteristics. For example, malware uses the Berkeley Packet Filter (BPF) hook to hide malicious traffic on an infected machine. BPF is also used by malware developed by the Equation group. “When an administrator runs a packet capture tool on an infected machine, the BPF bytecode is injected into the kernel, which determines the packets to be captured,” explains BlackBerry. “In this process, Symbiote first adds its bytecode so that it can filter network traffic that the packet capture software should not see. »
One of the most impressive elements of this Linux malware is its stealth. Preloaded before other shared objects, it can intercept certain functions, notably libc and libpcap, to hide its presence.
Other Symbiote-related files are also hidden, and its network entries are constantly cleared.
In addition, Symbiote can collect credentials by hooking into the libc read function and facilitates remote access by hooking into the Linux Pluggable Authentication Module (PAM) features.
The malware sample was uploaded to the Google VirusTotal platform, well known to cybersecurity professionals as certbotx64. The research team behind the discovery suspects that because the materials were sent before the main malware infrastructure was up and running, the download may have been for antivirus testing and detection purposes.
“When we first analyzed samples with Intezer Analyze, only a unique code was found,” they explain. “Because neither Symbiote nor Ebury/Windigo nor any other malware exchanges code. [Linux] known, we can safely conclude that Symbiote is a new, unknown malware for Linux. »