Cybersecurity researchers have removed the wrappers from what they call a “near impossible to detect” Linux malware that could be used as a weapon to create backdoors for infected systems.
The stealthy malware, called Symbiote by the firms BlackBerry and Intezer, is so named because of its ability to hide itself in running processes and network traffic and save a victim’s resources as a parasite†
The operators behind Symbiote are believed to have begun development of the malware in November 2021, with the threat actor primarily using it to target the financial sector in Latin America, including banks such as Banco do Brasil and Caixa.
“Symbiote’s main purpose is to retrieve credentials and facilitate backdoor access to a victim’s machine,” researchers Joakim Kennedy and Ismael Valenzuela said in a statement. report shared with The Hacker News. “What makes Symbiote different from other Linux malware is that it infects running processes instead of using a standalone executable to do damage.”
It achieves this by using a native Linux function called LD_PRELOAD — a method previously used by malware such as Pro-Ocean and Facefish — to be loaded by the dynamic linker in all running processes and infect the host.
In addition to hiding its presence on the file system, Symbiote is also able to camouflage its network traffic by using the extended Berkeley Packet Filter (eBPF) feature. This is done by injecting itself into the process of an inspection software and using BPF to filter out results that would reveal its activity.
By hijacking all running processes, Symbiote enables the rootkit functionality to further hide evidence of its existence and provides a backdoor for the threat actor to log into the machine and execute privileged commands. It has also been observed that logged credentials are stored encrypted in files masquerading as: C cup files.
This isn’t the first time malware with similar capabilities has been spotted in the wild. In February 2014, ESET unveiled a Linux backdoor called Ebury which is built to steal OpenSSH credentials and keep access to a compromised server.
Plus, the reveal comes nearly a month after details emerged about an elusive Linux-based… passive implant called BPFBy which loads a Berkeley Packet Filter (BPF) sniffer to monitor network traffic and launch a bind shell while bypassing firewall protections.
“Because the malware acts as a user country rootkit, detecting an infection can be difficult,” the researchers concluded. “Network telemetry can be used to detect anomalous DNS requests, and security tools such as AVs and EDRs must be statically linked to ensure they are not ‘infected’ by user rootkits.”