A group of cybersecurity researchers from BlackBerry and Intezer discovered a new Linux malware that, according to the companies, would be “nearly impossible to detect.”
Dubbed “Symbiote,” the threat can be weaponized to backdoor infected systems.
“What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines,” BlackBerry and Intezer wrote in a joint blog post.
In other words, instead of being a standalone executable file (that traditionally has to be run to infect a machine), Symbiote is a shared object (SO) library that is loaded into all running processes.
“Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability,” wrote the researchers.
Additionally, performing live forensics on an infected machine may not reveal any traces of infection since all the files, processes, and network artifacts are automatically hidden by the malware.
From a technical standpoint, Symbiote uses the berkeley packet filter (BPF) hooking functionality to hide malicious network traffic on an infected machine, evading administrators’ attempts to identify and capture suspect packets.
“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured,” reads the post.
“In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.”
However, the researchers said network telemetry could be used to detect anomalous DNS requests.
The group also warned the security community to ensure security tools such as antivirus and endpoint detection and response (EDR) are statically linked to ensure they are not “infected” by userland rootkits.
Despite only publishing their research this week, the team said it first detected the malware in November 2021 across various financial institutions in Latin America.
The claims are based on the fact that domain names used by the Symbiote malware impersonated some major Brazilian banks.
While BlackBerry and Intezer said they could not confirm the attribution, they did say the malware appeared to be an entirely new threat.
“When we first analyzed the samples with Intezer Analyze, only unique code was detected [...] As no code is shared between Symbiote and Ebury/Windigo or any other known malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware.”