Cybersecurity researchers have taken the wraps off what they simply call a “practically-not possible-to-detect” Linux malware that could be weaponized to backdoor contaminated devices.
Dubbed Symbiote by threat intelligence corporations BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal alone in just operating processes and network site visitors and drain a victim’s methods like a parasite.
The operators guiding Symbiote are considered to have commenced improvement on the malware in November 2021, with the threat actor predominantly making use of it to goal the money sector in Latin The usa, like banking companies like Banco do Brasil and Caixa, dependent on the domain names made use of.
“Symbiote’s most important aim is to capture credentials and to aid backdoor entry to a victim’s machine,” researchers Joakim Kennedy and Ismael Valenzuela said in a report shared with The Hacker Information. “What would make Symbiote unique from other Linux malware is that it infects running procedures somewhat than employing a standalone executable file to inflict destruction.”
It achieves this by leveraging a native Linux feature called LD_PRELOAD — a technique previously used by malware this sort of as Professional-Ocean and Facefish — so as to be loaded by the dynamic linker into all jogging procedures and infect the host.
Besides hiding its presence on the file process, Symbiote is also able of cloaking its community targeted traffic by earning use of the extended Berkeley Packet Filter (eBPF) attribute. This is carried out by injecting by itself into an inspection software’s procedure and working with BPF to filter out results that would uncover its action.
On hijacking all jogging processes, Symbiote enables rootkit features to more cover proof of its existence and presents a backdoor for the menace actor to log in to the equipment and execute privileged commands. It has also been observed storing captured credentials encrypted in information masquerading as C header data files.
This is not the initially time a malware with equivalent abilities has been spotted in the wild. In February 2014, ESET unveiled a Linux backdoor called Ebury which is developed to steal OpenSSH qualifications and manage access to a compromised server.
Additionally, the disclosure comes just about a thirty day period soon after aspects emerged about an evasive Linux-based passive implant called BPFDoor that masses a Berkeley Packet Filter (BPF) sniffer to check community site visitors and initiate a bind shell even though bypassing firewall protections.
“Since the malware operates as a consumer-land amount rootkit, detecting an an infection may possibly be difficult,” the researchers concluded. “Network telemetry can be employed to detect anomalous DNS requests and stability applications this kind of as AVs and EDRs really should be statically linked to be certain they are not ‘infected’ by userland rootkits.”