This Thursday, cybersecurity researchers from Intezer and BlackBerry Threat Research & Intelligence reported the discovery of a new malware, dubbed Symbiote due to its “parasitic nature”. It targets Linux systems, infecting all running processes, and steals account credentials to provide backdoor access. Malware operators can get SSH access to the machine via PAM services and gain root privileges on the system.
The joint team discovered Symbiote several months ago. This malware is not a typical executable but a shared object (SO) library. It is loaded into running processes with LD_PRELOAD, granting it priority over other SOs. This strongly differentiates Symbiote from other Linux malware, which typically attempts to compromise loaded processes. “Since the malware operates as a user-land level rootkit, detecting an infection may be difficult,”
one researcher noted.
The first sample of Symbiote is dated November 2021 and was most likely developed to attack financial institutions in Latin America. Given its stealthy nature, there is a high likelihood that the malware has been exploited anywhere else.
Symbiote has some specific features. In particular, it is impressively stealthy. Symbiote uses Berkeley Packet Filter (BPF) method, and will inject itself into an inspection software process and use BPF to conceal results that might reveal itself. It will load itself before other dynamic objects, allowing for activation of such functions as libc and libpcap hiding its presence. Connection entries are constantly scrubbed, and linked files are hidden. Last month we wrote about another malware that uses BPF, called BPFDoor. However, this one is new, as researchers concluded upon thorough code study.
As noted, Symbiote is difficult to detect, but some hints are available. One can use network telemetry to see anomalous DNS requests. Also, experts recommend that security tools be statically linked to prevent infection by user-land rootkits.