Hard-to-detect ‘parasite’ targets Linux operating systems

Cybercrime , Cybercrime as a service , Fraud and cybercrime management

Highly evasive symbiote can hide itself and other malware after infection

Prajeet Nair (@prajeetspeaks) •
June 10, 2022

Graphic showing Symbiote evasion techniques (Source: BlackBerry Threat Research & Intelligence Team)

A new malware called Symbiote affects Linux operating systems by infecting other running processes to inflict damage on machines, for example Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence team, who jointly conducted the research.

See also: On demand | Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents

The highly evasive malware, which was detected targeting financial firms in Latin America in November 2021, aims to capture credentials on victims’ systems to provide threat actors with backdoor access to machines infected, say researchers from Blackberry and Intezer.

During their investigation, Intezer and Blackberry researchers found domain names used to impersonate major Brazilian banks, implying that the banks or their customers were potential targets.

Malware Features

The malware is not a standalone executable file, it is a shared object library that is loaded to run all processes and infect machines, the researchers explain. Upon successful infection, Symbiote provides rootkit functionality capable of collecting credentials and providing remote access.

It also provides the threat actor with a backdoor to “log in as any user on the machine with a hard-coded password and run commands with highest privileges”, explain the researchers.

Symbiote hides after infection, along with other malware used by the threat actor, “making infections very difficult to detect”, they say, adding that the malware “fly under the radar” can also hide network activity on infected machines. Researchers from Intezer and BlackBerry say they found no evidence on the infected machines because the malware had hidden all network files, processes and artifacts.

It also stores stolen harvested credentials locally and exfiltrates them through a DNS address to a domain controlled by the threat actor, they say.

Although not a unique feature of Linux malware, Symbiote has a hookup feature of the Berkeley Packet Filter, which is an intrusion detection scanning tool. The researchers don’t detail the benefit of this feature in general, but they do explain how Symbiote uses it.

“An advanced backdoor attributed to the Equation group uses BPF for secret communication. However, Symbiote uses BPF to hide malicious network traffic on an infected machine, the researchers explain. “When an administrator starts a packet capture tool on the infected machine, the BPF bytecode is injected into the kernel which defines the packets to be captured. In this process, Symbiote first adds its bytecode so that it can filter network traffic which it doesn’t. want the packet capture software to see.”

Although detection is difficult, the researchers say companies can use network telemetry to “detect anomalous DNS queries.” They add that security tools, including antivirus and endpoint detection and response solutions, should be “statically linked to ensure they are not infected with userspace rootkits.” . [used by Symbiote].”

Comments are closed.