Symbiote: New Super Stealthy Malware Infects Linux Systems

This Thursday, cybersecurity researchers from Intezer and BlackBerry Threat Research & Intelligence reported the discovery of a new malware, dubbed Symbiote due to its “parasitic nature”. It targets Linux systems, infecting all running processes, and steals account credentials to provide backdoor access. Malware operators can get SSH access to the machine via PAM services and gain root privileges on the system.  

The joint team discovered Symbiote several months ago. This malware is not a typical executable but a shared object (SO) library. It is loaded into running processes with LD_PRELOAD, granting it priority over other SOs. This strongly differentiates Symbiote from other Linux malware, which typically attempts to compromise loaded processes. “Since the malware operates as a user-land level rootkit, detecting an infection may be difficult,”
one researcher noted. 

The first sample of Symbiote is dated November 2021 and was most likely developed to attack financial institutions in Latin America. Given its stealthy nature, there is a high likelihood that the malware has been exploited anywhere else. 

Symbiote has some specific features. In particular, it is impressively stealthy. Symbiote uses Berkeley Packet Filter (BPF) method, and will inject itself into an inspection software process and use BPF to conceal results that might reveal itself. It will load itself before other dynamic objects, allowing for activation of such functions as libc and libpcap hiding its presence. Connection entries are constantly scrubbed, and linked files are hidden. Last month we wrote about another malware that uses BPF, called BPFDoor. However, this one is new, as researchers concluded upon thorough code study. 

As noted, Symbiote is difficult to detect, but some hints are available. One can use network telemetry to see anomalous DNS requests. Also, experts recommend that security tools be statically linked to prevent infection by user-land rootkits.

Ransomware Wreaks Havoc in Palermo

The municipality of Palermo, a city in Southern Italy, has been the victim of a massive cyberattack likely involving ransomware. 

Palermo is populated by about 1.3 million people and welcomes more than 2 million tourists annually. All of them have been seriously affected by this attack, which hit a broad range of digital services delivered daily to citizens and guests of the city. The public video surveillance system, police operation center, and all municipality services went offline and could not be restored for several days despite efforts by relevant IT teams.

Currently all municipal digital services are unavailable, and public offices can only be reached by fax machines, inspiring memories of the previous century. Online ticket bookings for museums, theatres, and sports events are also unavailable, a major issue for a city reliant on tourism income. Still worse, the “limited traffic zone card” service was also hit, dramatically adding to the inconvenience since the historic city center requires them for entrance by both locals and guests. 

A pro-Russian hacker group Killnet has recently threatened Italy with cyberattacks and was mentioned in the context of the Palermo incident. However, the typical weapon of Killnet is DDoS, whereas Palermo public city services was reportedly hit with ransomware.

The councillor for innovation in Palermo has stated that all systems have been shut down and isolated from the network. This is recommended in such cases, as it prevents malware from spreading. However, judging by the warning that the outage would last a while, we may assume that the current state of the backup and restore policy might be questionable after the municipality of Palermo eliminates the incident consequences.

Analysis of such successful cyberattacks underscores the criticality of reliable backup and restore programs for any organization that provides essential public or business services needs. It should be designed and implemented by a recognized cybersecurity consultancy and service provider.

Microsoft has issued CVE for the “Follina” Zero-day vulnerability

Cybersecurity experts are raising the alarm about a Zero-day remote code execution vulnerability in Microsoft Office, which has been dubbed “Follina”. It surfaced after the nao_sec team came across the 05-2022-0438.doc Word file, which was submitted to the VirusTotal from a Belorussian IP address. 

This vulnerability allows an attacker to run arbitrary code with the privileges of the calling application. Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from an application such as Microsoft Word. The attacker can then install programs, view, change, or delete data, or create new accounts as allowed by the user’s rights. The biggest problem is that Word will run the code with MSDT even if the macros are disabled. This has been demonstrated despite claims by Microsoft that Protected View or Application Guard could prevent a current attack. 

This vulnerability affects all supported Windows versions and several Office versions, including Office 2013, 2016, and 2021. Unfortunately, no known patch is available, as infected files delivered through email or other initial access methods do not trigger an Antivirus/EDR response. The temporary solution offered by Microsoft includes Defender for Endpoint attack surface reduction rule, and Defender Antivirus build 1.367.719.0 or newer. 

It is reported that the following Microsoft 365 Defender alerts might indicate exploitation of this vulnerability: Suspicious behavior by an Office application, and Suspicious behavior by Msdt.exe.

We are now waiting for immediate actions from the security vendors. In the meantime, we can use POC code samples that help identify exposure to respond to the threat promptly. These samples are already publicly available on GitHub. 

Stay with Soteryan for timely and actionable advice on malware, Zero-day vulnerabilities, and more cybersecurity expertise from your reliable partner.