Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Symbiote: A Stealthy Linux Malware Targeting Latin American Financial Sector

Cybersecurity researchers have taken the wraps off what they call a “nearly-impossible-to-detect” Linux malware that could be weaponized to backdoor infected systems.

Dubbed Symbiote by threat intelligence firms BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal itself within running processes and network traffic and drain a victim’s resources like a parasite.

The operators behind Symbiote are believed to have commenced development on the malware in November 2021, with the threat actor predominantly using it to target the financial sector in Latin America, including banks like Banco do Brasil and Caixa, based on the domain names used.

“Symbiote’s main objective is to capture credentials and to facilitate backdoor access to a victim’s machine,” researchers Joakim Kennedy and Ismael Valenzuela said in a report shared with The Hacker News. “What makes Symbiote different from other Linux malware is that it infects running processes rather than using a standalone executable file to inflict damage.”

It achieves this by leveraging a native Linux feature called LD_PRELOAD — a method previously employed by malware such as Pro-Ocean and Facefish — so as to be loaded by the dynamic linker into all running processes and infect the host.

Besides hiding its presence on the file system, Symbiote is also capable of cloaking its network traffic by making use of the extended Berkeley Packet Filter (eBPF) feature. This is carried out by injecting itself into an inspection software’s process and using BPF to filter out results that would uncover its activity.

Upon hijacking all running processes, Symbiote enables rootkit functionality to further hide evidence of its existence and provides a backdoor for the threat actor to log in to the machine and execute privileged commands. It has also been observed storing captured credentials encrypted in files masquerading as C header files.

This is not the first time a malware with similar capabilities has been spotted in the wild. In February 2014, ESET revealed a Linux backdoor called Ebury that’s built to steal OpenSSH credentials and maintain access to a compromised server.

Furthermore, the disclosure arrives nearly a month after details emerged about an evasive Linux-based passive implant called BPFDoor that loads a Berkeley Packet Filter (BPF) sniffer to monitor network traffic and initiate a bind shell while bypassing firewall protections.

“Since the malware operates as a user-land level rootkit, detecting an infection may be difficult,” the researchers concluded. “Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not ‘infected’ by userland rootkits.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…