Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

New Linux Malware 'Nearly Impossible to Detect'

A new malware variant attacking Linux systems that steals credentials and allows for remote access to victim machines camouflages so well that the researchers studying it say they can’t conclude if it’s being used in targeted or larger-scale attack campaigns.

Security researchers from Intezer and BlackBerry’s Research & Intelligence Team say the so-called Symbiote malware is unusual in that it’s not a pure executable file: it’s actually a shared object library that loads itself into a machine’s running processes using the LD_Preload file in Linux. “Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability,” the researchers wrote in a blog post this week.

Symbiote was first sighted in November of 2021, they said, and at the time appeared to be created for attacking financial institutions in Latin America.

“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges,” the researchers wrote.

While detecting the rootkit is a major challenge, the researchers said organizations should watch for anomalous DNS requests. But relying on antivirus and endpoint detection and response tools to detect it is moot: They can be compromised by the rootkit since it’s embedded in “userland,” the researchers warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.


Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…